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SECTION 1 
INTRODUCTION 


General Aviation serves an important role in transportation and 
in the Nation's economy. But operating procedures are compli- 
cated, regulations are restrictive, and the demands of the 
National Air Traffic Control CATC) system are increasing. All of 
these factors contribute to an increasing dependence on avionics 
and to a corresponding Increase in their cost and complexity. 
Furthermore, such diverse considerations as safety, rising fuel 
costs, and the desire to improve single pilot IFR operation will 
stimulate the demand for even more avionics. 

To date, the avionics industry has been able to meet the increas- 
ing requirements for avionics at affordable prices by aggressively 
applying new technologies. The application of new technology has 
been along traditional lines, however, with integration occurring 
only in a few specific areas such as navigation/communication sys- 
tems and integrated flight director/autopilot designs. Using 
this approach, the addition of more sophisticated capabilities — 
such as a performance computer, a pilot alert system, or a ground- 
proximity warning system — is expensive and cumbersome because 
of the need for separate computers, separate displays and controls, 
and signals from aircraft sensors that either do not have an ap- 
propriate output, or are not easily accessible. However, as a 
result of recent developments in microprocessors, busing, displays, 
and software technology, it may be possible to configure an inte- 
grated avionics system that is better suited for accommodating 
these future requirements. 
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In 1975, a research and development program was Initiated within 
the National Aeronautics and Space Administration to determine 
the feasibility of developing an integrated avionics system suit- 
able for general aviation in the mid-1980s and beyond. The ob- 
jective was to provide information required for the design of 
reliable integrated avionics. This avionics was to provide ex- 
panded functional capability that would significantly enhance the 
utility and safety of general aviation at a cost commensurate 
with the general aviation market. 

The program has emphasized the use of a data bus, microprocessors, 
electronic displays and data entry devices, and improved function 
capabilities. As a final step, a Demonstration Advanced Avionics 
System (DAAS) capable of evaluating the most critical and promis- 
ing elements of an integrated system will be designed, built, and 
flight tested in a twin-engine general aviation aircraft. 

A contract was awarded to Honeywell, Inc., teamed with King Radio 
Corp. , in August 1978 for the design and fabrication of DAAS. 

The specific objectives were (1) to fabricate an integrated avi- 
onics system based on the information obtained in the investiga- 
tions described in the foregoing paragraph (2) to incorporate in 
this system a set of functional capabilities that will be bene- 
ficial to general aviation, and (3) to design the displays and 
controls so that the pilot can use the system after minimum train- 
ing. The system will be installed in the Ames Research Center's 
Cessna 402B in the early part of 1981; engineering flight testing 
will begin at King Radio in Olathe, Kansas, in mid-1981. Flight 
tests at Ames Research Center are expected to start in late 1981. 
During the flight tests, guest pilots from various segments of 
the general aviation community will be invited to evaluate the 
DAAS concept . 
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The DAAS Program also Includes definition and analysis of a pro- 
jected Advanced Avionics System (PAAS). PAAS extrapolates the 
DAAS concept of integrated, fault tolerant avionics to a poten- 
tial operational version for the mid-1980s. PAAS was analyzed to 
determine reliability, cost, etc., and impact of the DAAS concept 
in comparison to conventional architecture. The results are con- 
tained herein. 

This report documents the DAAS Program Phase I System Design, and 
includes the following; 

• DEMONSTRATION ADVANCED AVIONICS SYSTEM (DAAS) 

- DAAS Functional Description 

- DAAS Hardware Description 

- DAAS Operational Evaluation 

- DAAS Failure Modes Effects Analysis 

• Project Advanced Avionics System (PAAS) 

- PAAS Description 

- PAAS Reliability Analysis 

- PAAS Cost Analysis 

- PAAS Maintainability Analysis 

- PAAS Modularity Analysis 

• Conclusions and Recommendations 

Additional detailed design information is contained in the follow- 
ing documents ; 
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• 'Demonstration Advanced Avionics System (DAAS) Functional 
Description,' 15 October 1980, NASA CR-152405, by Honeywell 
Inc. and King Radio for Ames Research Center, NASA. 

• 'DAAS-System Specification (YG 1210),' 20 December 1979, 
Honeywell Specification DS 28150-01. 

• 'DAAS Central Computer Unit (BG1135),' 3 October 1980, 
Hone 3 nvell Specification DS 28151-01. 

• 'EHSI (Electronic Horizontal Situation Indicator) JG12D4AA, ' 

13 December 1979, Honejrwell Specification D538153-01, 

• ' IDCC (Integrated Display and Control Center), DAAS 
HG1052AA, ' 13 December 1979, Honejnvell Specification 
DS28154-01. 

• ' NASA-Honeywell DAAS Radio Adapter Unit P/N 066-1083-00,' 

14 September 1979, King Radio Corp. Specification 001-5018-00. 

• 'Software Development Specification For Y61210 NASA DAAS 
Avionics System, ' Honesrwell Specification DS28152-01. 
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SECTION 2 

DEMONSTRATION ADVANCED AVIONICS SYSTEM (DAAS) 


DAAS IS the demonstrator system intended to physically demonstrate 
the characteristics of a fault tolerant integrated avionics sys- 
tem in a Cessna 402B aircraft. Following is description of the 
demonstrator system including functional description, hardware 
description, documentation of the DAAS operational evaluation 
conducted on the DAAS simulator, and documentation of the failure 
modes and effects analysis conducted to verify DAAS flight safety. 


2.1 DAAS FUNCTIONAL DESCRIPTION 

The DAAS is an integrated system. It performs a broad range of 
general aviation avionics functions using one computer system, 
and shared controls and displays. Following is brief description 
of the DAAS functions, controls and displays, and DAAS architec- 
ture. 

2.1.1 DAAS Functions 

• Autopilot - The autopilot is a digital version of the King 
KFC200 modified for compatibility with DAAS. The basic auto- 
pilot modes are : 

- Yaw Damper 

- HDG SEL (Heading Select) 

- ALT, ALT ARM (Altitude Hold, Altitude Arm) 
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- NAV, VNAV Coupled Control 

- Approach Coupled Control 

• Navigation/Flight Planning - The navigation/flight planning 
function computes aircraft position with respect to an en- 
tered flight plan, and blends dead-reckoning position (as 
determined from airspeed and heading) with position extracted 
from automatically tuned VOR/DME receivers. Functions are: 

- 10 Waypoints, 10 NAVAID Storage 

- Kalman Filter Blending 

- Moving Map Display 

• Flight Warning/Advisory System - DAAS includes extensive 

monitoring, with warning capability. For example, the DAAS 
system monitors engine performance (MAP, RPM), aircraft con- 
figuration (gear position, flap position, etc.) with respect 
to flight condition, and ground proximity and informs the 
pilot of undesirable situations. Monitoring includes: 

- Engine Parameter Monitoring Warning 

- Aircraft Configuration Monitoring, Warning 

- Airspeed and Stall Monitoring, Warning 

- Altitude Advisory Function 

- Marker Beacon Advisory Function 

- NAVAID Identification Monitoring 

- Autopilot/Flight Director Monitoring 

- BIT Fault Warning 
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• GMT Clock Function - The DAAS computer serves as a GMT 
clock. 

• Fuel Totalizer Function - Fuel flow is integrated to total- 
ize fuel used. 

• Weight and Balance Computations - Weight and balance, and 
takeoff cruise performance calculations can be quickly and 
conveniently performed using DAAS controls and displays. 

• Performance Computations - The DAAS system will determine 
fuel and time required to fly specific segment distances 
given altitude, temperature, wind data, and engine power 
setting. Performance computation functions are: 

- Takeoff Performance 

- Cruise Performance 

- Fuel/Distance/Time Computation 

• DABS (Discrete Address Beacon System) ATC Communication, 
Weather Reporting - ATC text messages (e.g., CLIMB AND MAIN- 
TAIN 1200 FT) or weather information at destination can be 
communicated to the DAAS pilot via DABS data link and dis- 
played on the DAAS electronic display. 

• BIT (Built-in Test) - The DAAS system will detect and local- 
ize its own faults via BIT. Provisions are also included 
for troubleshooting the DAAS hardware through DAAS controls 
and electronic displays. 
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• Normal, Emergency Checklists - Normal and emergency check- 
lists are stored in the DAAS computer, and are available for 
display at the push of a button. 

These functions are managed via shared controls and displays, and 
performed in the common DAAS computer system. 

2.1.2 DAAS Controls and Displays 

The DAAS Cessna 402B aircraft contains — 

• Controls and displays necessary to manage DAAS functions. 

• Additional instruments necessary for IFR flight operations. 

• Independent safety pilot instrument installation. 

These controls and displays are layed out in the 402B control 
panel as indicated in Figure 2-1, Cessna 402B Layout. The DAAS 
pilot IS in the left seat, and the safety pilot in the right seat. 
Electronic displays — the Electronic Horizontal Situation Indi- 
cator (EHSI) and Integrated Data Control Center (IDCC) — are key 
elements of the panel. 

The EHSI presents a moving map display showing aircraft position 
with respect to desired course. The display is a 4.5-inch mono- 
chromatic Ball Brothers 103C CRT raster display unit. The dis- 
play unit has 256- by 256-dot matrix display capability. P43 
phosphor IS used together with an appropriate narrow band optical 
filter to allow operation in bright sunlight. The EHSI is con- 
trolled by functional control buttons and a map slew controller. 
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The Integrated Data Control Center (IDCC) is the pilot's primary 
means of interacting with DAAS. Included are a keyboard at the 
bottom of the unit and a set of function buttons along the top. 
The function buttons include a set of page select buttons which 
determine the information that is displayed on the IDCC display. 

The IDCC display CRT is identical to the EHSI, i.e., 4.5-inch by 
4.5-inch Ball Brothers monochromatic unit. The IDCC can display 
16 lines of 32 characters each. Line spacing is 0.25 inch, char 
acter height is 0.162 inch, and character width is 0.125 inch. 

The IDCC is implemented with menu select buttons along each side 
of the CRT, or with a pressure sensitive plastic screen overlay 
for touch point menu selection. The alternate approaches can be 
implemented to allow comparison during flight test. 

The DAAS EHSI is surrounded by the conventional "T" pattern of 
flight control instriunents . 

The ADI used in DAAS is the 4-inch King KCI 310 Flight Command 
Indicator. 

The altimeter is an IDC Encoding Altimeter type 519-28702-571. 

An altitude alert light is mounted on the altimeter. 

The rate-of-climb indicator provides vertical speed information 
to the pilot. The display presents rates of climb, or descent, 
in feet per minute. The face is 2-1/4 inches wide. 

The King KI 226 RMI displays heading and bearing to a selected 
VOR station. 
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The DAAS Autopilot Mode Controller is located on the pedestal, 
and the Autopilot Mode Annunciator is located above the altimeter. 

DAAS engine instruments and radio stack are centrally located and 
are accessible to the DAAS pilot and the safety pilot. 

Unique DAAS switch controls located on the panel include . 

• NAV 1-DAAS/MANUAL Tune (located to the right of the NAV 1 
radio) 

• NAV 2-DAAS/MANUAL Tune (located to the right of the NAV 2 
radio) 

• DME TRANSFER (located to the right of the DME) 

• VOR source switch (located to the lower left of the RMI) 

• ILS source switch (located to the lower left of the ADI) 

NAV Receivers can be tuned manually (MANUAL) or automatically 
(DAAS). The DME transfer switch allows the DME receiver to be 
tuned by either NAV receiver 1 or 2. The DAAS position slaves 
the DME to the NAV receiver being controlled by DAAS . 

The safety pilot instriunent set is independent from the DAAS 
instruments, and adequate for safe flight with DAAS inoperative. 

The safety pilot's Pictorial Navigation Indicator displays air- 
craft magnetic heading (gyro-stabilized), selected heading and 
selected course. Also, VOR and localizer course deviation, 
glideslope deviation and a TO-FROM indication are presented. 
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The safety pilot's KG-258 artificial horizon is an air driven 
unit. It IS the safety pilot's basic attitude/horizon reference 
indicator. 

Aircraft master power controls are centrally located overhead. 
Circuit breakers are located on the pedestal. 

2.1.3 DAAS System Architecture 

DAAS system architecture is presented in Figure 2-2. The archi- 
tecture IS characterized by a modular computer system structure; 
i.e., multimicroprocessors interconnected by an IEEE 488 data bus. 
Each processor block in Figure 2-2, except for the radio system, 
represents an Intel 8086 16-bit microprocessor, 2k by 16 PROM 
memory, and 4k by 16 to 16k by 16 RAM memory. The radio System 
uses the Intel 8048 microprocessor. 

Each processor performs a function, and interfaces directly with 
the subsystems associated with that function. At power-on, the 
bus controller Computer CPU-1 takes functional programs from the 
nonvolatile bubble memory, and sequentially loads each processor 
at the rate of approximately 2 seconds per processor. When all 
processors are loaded, the bus controller activates the system. 

The bus controller then manages bus communications during normal 
operations . 

A portable TI Silent 700 cassette unit can interface with the bus 
controller to allow load or modifications of the functional soft- 
ware . 

CC-CPU 5 IS a spare processor. If processor CC-CPU 3 or CC- 
CPU 4 fails and the bus controller detects the failure. 
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Figure 2-2. DAAS System Architecture 









the bus controller will load CC-CPU 5 with appropriate software 
from bubble memory, and CC-CPU 5 will take over the function of the 
failed processor. (Note This reconfiguration capability is 
especially important when an EHSI and an EADI are included in the 
PAAS system. With a failure in one display, the spare processor 
could be loaded to allow time sharing of the remaining good dis- 
play as both EADI and EHSI.) Such reconfiguration could be ex- 
tended to other processors such as CC-CPU 2, the autopilot. How- 
ever, for such reconfiguration the spare processor must interface 
with autopilot subsystems, which requires additional multiplexing 
of hardware. Reconfiguration was thus applied only to a limited 
degree in this demonstrator system. 


The DAAS architecture is modular. Functions can be added by add- 
ing necessary standard processor modules onto the 488 data bus, 
and interfacing these processor modules with the devices associ- 
ated with the new function. 

Six processors are contained in the DAAS Central Computer Unit. 
One processor is contained in the IDCC, and one processor is 
contained in the radio adapter unit. 


2.2 DAAS HARDWARE DESCRIPTION 

DAAS system components, and their interconnections are depicted 
in Figure 2-3, DAAS System Diagram. Interconnection between the 
DAAS panel instruments, sensors, and the DAAS computer system is 
shown. The DAAS Central Computer obtains data from the radio sys- 
tem (radio adapter unit, radio stack), flight control sensors, 
engine instruments, configuration status sensors, and IDCC. 
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Figure 2-3. DAAS System Diagram 
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Functional computations are performed on the input data and the 
results applied to EHSI, FDI, warning/caution lights, and auto- 
pilot servos. 

Following is a description of new design DAAS flight hardware 
including • 

• Central Computer Units 

• IDCC 

• EHSI 

• Radio Adapter Unit 

The hardware is shown in Figure 2-4. 

2.2.1 Computer Control Unit CCCU) 


The ecu, Figure 2-5, consists of the following computer process- 
ing units (CPUs) and their associated I/O interfaces: 

• Autopilot CPU 

• Bus Controller CPU 

• EHSI CPU 

• NAV CPU 

• DABS CPU 

• Spare CPU 

In addition, the CCU contains a one mega-bit bubble memory and 
the regulated power supplies for the DAAS system. 

2. 2. 1.1 Mechanical — The CCU is packaged in a full ATR Chassis, 
The dimensions of which are given in the installation drawing 
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Figure 2-4. DAAS Flight Hardware. From left to right : 
Electronic Horizontal Situation Indicator, 
Computer Unit , Radio Adapter Unit, 
and Integrated Data Control Center. 
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shown in Figure 2-6. The chassis has been constructed to accept 
up to twenty-three 6.25 by 6.25 inch card assemblies plus four 
larger 10 by 6 inch card assemblies. All interconnections of the 
card assemblies are via a wirewrap mother board. 

2. 2. 1.2 CPU and Memory — Each CPU has been designed to fit on 
a single printed circuit board card assembly as shown in Figure 
2-7. A CPU consists of the 8086 microprocessor, 4K by 16 of RAM 
memory, 2K by 16 of UV-EPROM, an 8259 programmable interrupt con- 
troller, and the IEEE-488 bus interface circuitry. In addition 
to the 8086 microprocessor IC, the processor also contains an 
8284 clock generator, bus buffer logic, and memory chip select 
logic. 

To facilitate software development, the 8086 is mounted in a 
quick-eject socket. This allows easy replacement of the 8086 
with an in-circuit emulator (ICE-86). The 8086 is operated at 
4 MHz by driving the clock generator with a 12 MHz crystal. This 
clock frequency was selected to be comptaible with the ICE-86 
which has a maximum limit of 4 MHz. 

The 8259 programmable interrupt controller provides the capability 
for eight vectored interrupts. The IEEE-488 bus utilizes the 
highest priority interrupt with the rest of the interrupt lines 
connected to special functions associated with each processor. 

The IEEE-488 bus interface is implemented with 9914 GPIB adapter 
and two bus transceiver ICs. The 9914 is a 40-pin LSIC that can 
be programmed to be a talker/listener or as a bus controller while 
meeting all of the requirements of IEEE-488. This feature of the 
9914 allowed all of the CPUs to be designed identically. Communi- 
cation between the 8086 and the 9914 is carried out via memory 
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mapped registers. There are 13 registers within the 9914, 6 of 
which read and 7 write. These registers are used both to pass 
commands or data to, and to get status or data from, the device. 

There are 4K of RAM memory and 2K of UV-EPROM available on the 
CPU card assembly. An additional 4K or 8K of RAM memory is 
available with the memory expansion card assemblies. Memory ex- 
pansion card assemblies are provided for the autopilot, EHSI, 

NAV, and spare CPUs. Also provided on the memory expansion card 
assemblies is the I/O address decoding logic associated with that 
CPU. From a software standpoint, all of the I/O addressing is 
treated as memory mapped. 

2. 2. 1.3 ecu Bubble Memory System — A Rockwell bubble memory 
system is used for the nonvolatile storage of the CPU software 
programs. The bubble memory system, Figure 2-8, consists of two 
card assemblies, a 1-megabit memory assembly (RLM 658), and a 
controller assembly (RCM 650). The RLM 658 assembly provides the 
1-megabit of storage via four 256K-bit (RBM 256) devices which 
are operating in parallel. The RLM 658 also contains the sense 
amplifiers, coil drivers, operator logic (transfer, replicate and 
generate pulses), and the chip mapping PROM. The chip mapping 
PROM contains the redundancy information on the good and bad 
loops in each of the REM 256 devices. The RCM 650 controller 
organizes the memory to appear as an 8-bit byte parallel opera- 
tion with 128-byte blocks. Thus the memory is addressed by 
blocks (1 to 1024) with 128 bytes per block. The RCM 650 uses 
a preprogrammed 6502 microprocessor to accomplish the controller 
functions. Also, included on the RCM 650 is a Ik by 8 buffer 
memory which is the main interface between the bus controller CPU 
and the bubble memory. 
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2. 2. 1.4 ecu Cassette Interface — Tape cassettes are used for 
initially loading the bubble memory with the software programs 
for all of the CPUs. A PROM program in the bus controller CPU, 
allows the bus controller to read the ASCII data from the cas- 
sette, convert it to binary, and transfer the binary data to the 
bubble memory. A standard RS-232 interface is used between the 
bus controller CPU and the ASR733 data terminal with dual cas- 
settes. This RS-232 interface, along with additional bubble 
memory address decoding, is contained on the cassette and bubble 
memory I/O card assembly. 

2. 2. 1.5 Display Controller — Two ALT 512 graphics display con- 
trollers are used to generate the video signal for the EHSI. Each 
ALT 512 contains its own 131,021-bit refresh memory, TV sync, and 
video generator. The display field for each ALT 512 consists of 
two 256 by 256 by 1 planes. The two-plane arrangement allows 
eight different display formats. The mode of operation selected 
for the EHSI is to display one plane while the EHSI CPU erases 
and updates the other plane. Two ALT 512s are required to in- 
crease the throughput on the EHSI. The display information that 
requires faster updating is programmed in one of the ALT 512s 
while the slower information, which is updated at a slower rate, 
is programmed in the other ALT 512. The two ALT 512s are operated 
with one as the master, and the other as the slave (i.e. the slave 
receives its video clock and sync timing from the master). The 
combined video output is then transmitted to the EHSI CRT monitor. 

The ALT 512 utilizes a standard S-100 bus for all of the I/O 
interfaces. In order to provide the reconfiguration capability 
of letting either the EHSI CPU or the spare CPU drive the EHSI, 
the multiplexing of the address, data, and control lines from 
these CPUs to the ALT 512s must be provided. This multiplexing 
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circuitry is provided on the memory expansion cards associated 
with those CPUs. Control of which CPU is driving the EHSI comes 
as a discrete output from the bus controller CPU. 

2. 2. 1.6 ecu DABS Interface — Both the standard message (SM) 
interface and the extended length message (ELM) interface have 
been implemented for communication between the DABS transponder 
and the DABS CPU. The SM interface consists of a gated clock 
controlled by the transponder, and a bidirectional data line for 
serial transmission of data. For up-linking of information, 
data received from the transponder is converted from serial to 
parallel and stored in a 16 by 8 buffer memory. Upon receipt of 
a complete COMM-A message, an interrupt is generated to the DABS 
CPU which causes this CPU to read the contents of the buffer 
memory. For down-link information, the reverse process is re- 
quired. The DABS CPU loads a 16 by 8 buffer memory and then sets 
the B-bit in the SM interface format. Upon receipt of a COMM-B 
message to the transponder, the data is converted from parallel 
to serial and transmitted to the transponder. 

The ELM interface is a full duplex, synchronized serial binary 
data interface in accordance with RS-449. The following inter- 
face circuits are provided: 

ST - send timing (from transponder) 

SD - send data (to transponder) 

RS - request to send (to transponder) 

CS - clear to send (from transponder 
RT - receive timing (from transponder) 

RD - receive data (from transponder) 
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DM - data mode (from transponder) 

15 - terminal in service (to transponder) 

All of these interface circuits are bipolar, balanced circuits 
that operate at voltage levels and impedance levels as specified 
in RS-422. Operation of the ELM interface is similar to the SM 
interface except that the buffer memory is 256 by 8. This allows 
16 COMM-C or COMM-D segments to be received or transmitted as a 
block respectively. The transponder takes care of all the COMM-C 
and COMM-D decoding and downlink message initiation. The circuit- 
ry required to implement the SM and ELM interfaces is contained 
on the DABS SM card assembly and the DABS ELM card assembly. 

2. 2. 1.7 ecu I/O Interface — With the exception of the previously 
discussed interfaces, all of the I/O devices (aircraft sensors, 
engine monitors, mode control panels, etc.) interfaces directly 
with the autopilot CPU. This I/O interface provides the capabil- 
ity for: 

48 discrete inputs 

48 discrete outputs 

64 analog inputs 

16 analog outputs 

ecu Discrete I/O — The discrete inputs are multiplexed into 
4 words of 12 bits each before being read by the autopilot CPU. 

One of the discrete input words is reserved for self test (wrap- 
around) of the flight critical discrete outputs. Each discrete 
input is signal conditioned and prefiltered (0.8 msec, time con- 
stant) before being multiplexed to a comparator to determine its 
logic state. 
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The discrete outputs are organized into 3 words of 16 bits each. 
The discretes are stored in three 16-bit registers which are 
written into directly from the autopilot CPU. The outputs of 
these registers are buffered with high voltage open collector 
drivers, thus providing either an open or ground. The majority 
of the discretes are used for annunciation and the drivers tie 
directly to 28-volt lamps. The autopilot clutch engage and the 
auto-trim discretes require additional drive capability. This is 
provided with a discrete transistor stage added to the regular 
drivers . 

The discrete input circuitry and the discrete output circuitry 
for 16 of the outputs is contained on the discrete I/O card 
assembly. The circuitry for the rest of the discrete outputs 
including the special drivers is contained on the discrete out- 
put card assembly. The real-time clock is also included on this 
card assembly. The real-time clock is a counter running from the 
autopilot CPU Crystal Controlled Clock. It generates an inter- 
rupt 40 times per second to the autopilot, NAV, IDCC, and spare 
CPUs. 

ecu Analog Inputs — Four DG 506 16-channel multiplexers are 
utilized to allow up to 64 analog inputs to be multiplexed to a 
12-bit (11 bits + sign) A/D converter. Each analog input is sig- 
nal conditioned, scaled, and prefiltered prior to the multiplexer. 
The AC signals are demodulated using an LF 198 sample-hold IC 
with the sampling synchronized to occur at the peaks. A frequency 
to voltage converter is used for signal conditioning of the true 
airspeed signal. 

The A/D converter and 32 channels of multiplexing are contained 
on the ADC and MUX card assembly. The A/D converter is a 
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successive approximation type converter with a conversion time of 
32 microseconds, including multiplex and settling time. The con- 
verter IS composed of a 562 type D/A converter and two 8-bit 2503 
successive approximation registers. The input scaling is setup 
such that ±10 volts at the input to the A/D converter corresponds 
to full range. The additional 32 channels of multiplexing is 
contained on the DC Inputs and MUX card assembly. 

Also contained on this card assembly is the signal conditioning 
(differential buffer amplifiers and prefilters) for the dc inputs. 
The ac input card assembly contains a Scott -T transformer for con- 
verting the heading synchro signals to sin and cosine, second- 
order prefilters for the pitch and roll attitude signals, and the 
demod amplifiers for converting these ac signals to dc. The yaw 
servo amplifier, the pitch and roll command bar amplifiers, the 
VNAV deviation indicator drive circuitry, and the true airspeed 
frequency to voltage converter are also contained on this card 
assembly. 

ecu Analog Outputs — Each analog output consists of an LF 198 
sample-hold which is updated from a 12-bit D/A converter. Of the 
16 analog outputs provided, 8 are used for inflight recording, 3 
for the pitch, roll, and yaw servo amplifiers, 1 each for pitch 
command bar, roll command bar, and VNAV deviation, and the other 
two are spares. The D/A converter is a 562 type that is operated 
in the bipolar mode with a signal range of ±10 volts. The D/A 
converter, 16 sample-holds, 16-channel decoding, and the pitch 
and roll servo amps are all contained on the DAC and Servo Amp 
card assembly. 

2.2. 1.8 ecu Power Supplies — All power for the CCU and the IDCC 
is generated from the aircraft +28 Vdc bus. An Abbott BNIOOO 
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power module is used for the +5-volt supply. This dc-to-dc con- 
verter uses a pulse width modulated inverter switching at 18 to 
20 kilohertz to achieve an efficiency up to 70 percent with out- 
put capability to 20 amps. Similarily, an Abbott BBN500 power 
module provides a dual output ±15-volt supply. This supply has 
an output current capacity of 1.67 amps on each output. The 
bubble memory and the ALT-512 require ±12 V dc which is supplied 
from a linear regulator operating from the ±15-volt supplies. All 
of these supplies require approximately 10 amps from the 28-volt 
bus. 

2.2.2 Integrated Data Control Center (IDCC) 

The IDCC, Figure 2-9, consists of two basic assemblies, the CRT 
monitor assembly, and the chassis assembly. The over-all dimen- 
sion of the IDCC are shown in Figure 2-10. The CRT monitor assem 
bly is mounted in the IDCC chassis assembly which, in turn, is 
mounted in the aircraft. 

2. 2. 2.1 CRT Monitor Assembly — The CRT monitor assembly is a 
standard, solid state, monochromatic television monitor designed 
for avionics display applications. The monitor is 7.7 inches 
wide, 6.0 inches high, by 11.0 inches deep. It is a raster type 
monitor capable of 525 lines with a 2:1 interface at 30 frames 
per second, or a non-interlaced 262-line field at 60 fields per 
second. The latter is used in this application. The monitor is 
designed with P-43 phosphor and a narrow bandpass optical filter 
to produce a sunlight readable display. The display area is 4.5 
by 4.5 inches. 

2. 2. 2. 2 IDCC Chassis Assembly — The IDCC chassis assembly con- 
tains the following subassemblies in addition to the CRT assembly 
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Figure 2-9. DAAS Integrated Data Control Center 
, (IDCC) 
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5 HOLES 


Figure 2-10. IDCC Installation Drawing 




• CPU and memory 

• Keyboard 

• Pushbutton switches 

• Touchpoint switches 

• Miscellaneous controls 

IDCC CPU and Memory — The IDCC contains its own central pro- 
cessing unit (CPU) and associated memory. The CPU is an 8086 - 
16-bit microprocessor. The memory consists of 16K by 16-bit RAM 
and 2K by 16 bit ROM. The RAM is used for both program memory 
and scratchpad memory, and the ROM is used to store the initial- 
ization programs. The CPU, together with 4K of RAM and the bus 
interface circuitry, is packaged on one card. A second card con- 
tains 8K of RAM. A third card contains 4K of RAM. The fourth 
card contains the CRT refresh memory and the I/O circuitry. 

The CPU, together with its memory, performs the following 
functions . 

• Message storage. 

• Message formatting. 

• Output of messages to display refresh memory. 

• Scanning of switches and touchpoints. 

• Outputting and receiving intercommunications with the 
Central Computer Unit over the IEEE 488 bus. 

IDCC CRT Refresh Memory — Since the CRT monitor has no memory, 
it must be re-refreshed at the 60-Hz field rate. A CRT controller 
circuit is used to accomplish this function. This circuit accepts 
data from the CPU defining the alpha-numeric characters to be 
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displayed on the CRT display. It then outputs the appropriate 
video signals to the monitor to display these characters at the 
60-Hz field rate. The display field consists of 16 lines of 32 
characters . 

IDCC Switch Scanning — The IDCC provides for scanning of the 
switches and touchpoints on the IDCC as well as the switches on 
the EHSI. The switches on the IDCC consist of the pushbutton 
switches (mode and page select) located across the top of the 
IDCC, the keyboard switches, the forward and back page switch, 
the message acknowledge switch, and the light touchpoints. The 
switches on the EHSI consist of the nine switches used for EHSI 
control, and the eight switches used for slewing the display and 
cursor. The switches are scanned and debounced using IC hardware. 
The results of the scanning are entered into the CPU via memory 
mapped I/O and vectored interrupts. 

IDCC Keyboard — The IDCC keyboard is mounted at the lower 
left corner of the IDCC. It projects outward and downward at 
approximately a 30-degree angle for ease of operation. The key- 
board consists of 20 keys arranged in a four horizontal by five 
vertical matrix. 

It should be noted that the keyboard has full alpha-numeric capa- 
bility. Numeric entry requires only pressing one key. Alpha 
entries, however, require two key entry. Each key has three 
alpha characters in addition to the one numeral. The alpha char- 
acters are entered by first pressing the key with the triad of 
alpha characters that includes the desired character and then 
pressing one of the post designation keys, in the bottom row, to 
select left, middle, or right alpha character of the triad. 
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The keyboard is back lighted for night operation. 


Pushbutton Switches — The IDCC has 18 pushbutton switches 
located across the top to the unit.- In the current mechanization, 
14 of the 18 pushbuttons are used. 

The pushbuttons are backlighted for night operation. One push- 
button (AUTO SEQ SEL) incorporates a green light indicator. The 
green light is on when the auto-sequence mode is on. 

IDCC Touchpoints — The IDCC incorporates touchpoints that are 
used to interact with the CRT display. There are eight touch- 
points arranged in two vertical columns of four each. The touch- 
point switches are implemented in two different configurations. 

The normal touchpoint configuration is implemented with eight 
individual switches located in the bezel of the CRT display. 

An alternate touchpoint configuration can be installed by remov- 
ing the switch mounting bezel and replacing it with a plastic 
overlay. This overlay incorporates a touchpoint matrix that can 
be activated by finger pressure on the CRT face. The touchpoints 
in this configuration are also located in two columns of four 
each. 

The two different configurations are electrically compatible and 
Interface to the system thru a chassis mounted convertor. 

IDCC 488 Bus Interface — The IDCC communication with the cen- 
tral computer unit is over the IEEE 488 bus. The bus interface 
module (BIM) used in the IDCC is the same as that used in the 
central computer. It utilizes the TI 9914 488 bus controller IC. 
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IDCC Power Requirements — The CRT monitor portion of the IDCC 
requires 60 watts maximum of 28 volts do power, 28 VDC. The 
chassis portion of the IDCC requires approximately 2 amps of +5 
volts dc. The only other power required by the IDCC is the 
switch lighting power derived from the 28-volt dc. 

2.2.3 Electronic Horizontal Situation Indicator (EHSI) 

The EHSI, Figure 2-11, consists of two basic assemblies - the CRT 
monitor assembly and the EHSI controls assembly. The overall 
dimensions of the EHSI are shown in Figure 2-12. 

2. 2. 3.1 EHSI CRT Monitor Assembly — The CRT monitor assembly is 
idential to the IDCC CRT monitor assembly. For a detailed descrip- 
tion of the CRT monitor assembly refer to paragraph 2.1 of this 
report . 

2. 2. 3. 2 EHSI Controls Assembly — The EHSI controls assembly 
consists of a face plate, nine pushbutton control switches, and 
a slew control switch subassembly. 

EHSI Pushbutton Switches — The current mechanization uses 
eight of the nine available pushbutton switches. The pushbutton 
switches are white lighted for night viewing. In addition, green 
lighting IS provided for mode annunciation. The heading-up/ 
north-up map orientation select switch and the map slew or cursor 
slew select switches are split legend annunciators. Either the 
top half or bottom half may be lighted green to indicate the mode 
selected. All other switches are full legend annunciations. 

Since the map return is a momentary mode, the green annunciator 
IS not used on this switch. 
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Figure 2-11. DAAS Electronic Horizontal Situation 
Indicator (EHSI) 






All switch actions are momentary. The mode latching is done in 
the IDCC CPU. As discussed in paragraph 2. 2. 2. 2, these switches 
are scanned by the IDCC CPU. The IDCC CPU also controls the 
annunciator lighting. 

EHSI Slew Control Switch — The slew control switch consists 
of a single lever operating light switch. The lever is mechan- 
ically constrained so that either horizontal or vertical movement 
only is allowed. The lever is spring loaded to the center off 
position. The lever actuates one or two switches in each of the 
four directions, up, down, left, or right. The first switch 
activation causes a slow slewing effect, the second causes a fast 
slewing effect. 

2. 2. 3. 3 EHSI Power Requirements — The CRT monitor portion of 
the EHSI requires 60 watts maximum, 28-volts dc power. The con- 
trol switch portion requires only the signal level scanning power 
from the IDCC CPU. Nighttime lighting and annunciator lighting 
power for the switches is derived from the IDCC. 

2.2.4 DAAS Radio Adapter Unit (RAU) 

The following functions are performed by the RAU, Figure 2-13. 

- Tune the radios as commanded by the DAAS computer 

- Process VOR/LOC/CS data from NAV 2 and NAV 2 

- Process station identifiers 

- Process DME distance 

- Generate a radio system status word 

- Format the data for block transfer 
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- Exchange information with the DAAS computer via the 
IEEE 488 bus 

In addition to interfacing with the radio units, the RAU also 
interfaces with — 

- 28-V dc aircraft power 

- KMA 24 audio panel (with KA 35A) 

- KCI 310 ADI (through ILS source switch) 

- KI 226 RMI (through the VOR source switch) 

- DME channeling switch and ILS source switch 

- DAAS/Manual status switch for each NAV receiver 

The DAAS system RAU uses a microprocessor system for a flexible 
interface for control and data processing. The interface ex- 
changes data on the 488 bus using standard talker/listener func- 
tions and handshaking protocol. Also, the system monitors the 
radios, retaining and refreshing a defined data block for the 
data exchange process. 

The processor sends the proper tuning commands to the radios, 
processes the received position data and transfers this data in 
block format to DAAS. The data block transfers occur at a fixed 
rate of approximately 20 updates per second as required by the 
bus controller. 

The radio adapter unit will exchange data over the IEEE 488 bus. 
A dedicated general purpose interface buffer (GPIB) will handle 
the standard talker/listener protocol for transferring data. 

Data will be stored in a buffer to eliminate slowing down the 
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processor. Bus setup time is £ 45 ys and data transfer rate is 
£ 15 us per byte. 

NAV 1 and NAV 2 provide a video composite with either VOR or LOG 
information modulated onto the 9960-Hz subcarrier. The interface 
circuit identifies what type of information is present, demodu- 
lates the composite, and digitizes the result. The VOR/LOC data 
from NAV 1 and NAV 2 can also be displayed on the KI 226 and the 
KCI 310 indicators. The specific display mode is a function of 
the status switches. 

Glideslope information is also available from the KN 53 Naviga- 
tion Receivers. The signal will be conditioned in the interface 
for digital conversion. The digitized data will then be processed 
and maintained in the data block for transfer to DAAS. As with 
VOR/LOC, glideslope information can also be displayed on the KCI 
310 Indicator. The program will select the navigation unit to be 
displayed when in the DAAS mode. 

To validate active channels of the navigation radios, the identi- 
fiers will be read electronically, converted to the ASCII equiva- 
lent of the received Morse code, and stored as part of the data 
block. 

The similarity in tuning procedure for the KN 53 and KY 196 allows 
a common method of tuning these radios. The interface simulates 
the actions of the front panel rotary knobs by closing increment/ 
decrement switches electronically to change frequency. The 
standby frequency only is affected by the tuning switches. To 
change the active channel, standby is turned to the selected 
frequency, and an active/standby exchange is executed. The approx- 
imate worst case tuning time for a KY 196 or KN 53 to sweep full 
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band is 250 milliseconds. To execute an act ive/ standby exchange, 
approximately 50 milliseconds is required. The hardware for 
tuning the KY 196 receivers is included in the RAU, but not the 
necessary software. 

The KN 62A can be tuned by DAAS NAV 1 or NAV 2 through a common 
bus. Then the DAAS mode of tuning is enabled at the DME, one of 
these three sources will supply the DME tuning data. The DME 
channeling switch then enables the desired tuning source. The 
KN 62A tuning format is the 2 by 5 code. Approximately three 
seconds are required to tune the KN 62A and acquire valid 
distance. 

To verify the auto tuning function, or to read the DME channel, 
data is read from the internal tune bus. This data is serial BCD 
information. A sync and clock are available to strobe this data 
into the interface. 

The following switches are used by the pilot for radio system 
mode selection: 

NAV 1 Manual /DAAS 

NAV 2 Manual/DAAS 

DME NAV 1/ DAAS /NAV 2 

ILS Source NAV 2/DAAS/NAV 2 

VOR Source NAV 2 /NAV 2 

Complete pilot backput in a manual mode of operation is assured 
by the Manual position of the switches. 

Range information from the KN 62A is 18 bits of serial BCD data. 

A synchronous clock is provided to shift the data into the inter- 
face for processing. The microprocessor will convert this data 
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to a 15-bit binary word (LSB = 0.02 NM) and maintain the current 
distance code in the data block. 


2.3 DAAS OPERATIONAL EVALUATION 

Pilot evaluation of the DAAS functional configuration has been 
conducted on the DAAS flight simulator, Figure 2-14. Extensive 
refinement of the functional configuration has resulted. Follow- 
ing is a description of the simulator evaluation program and the 
evaluation results. 

2.3.1 Summary of Results 

A simulator program was conducted with the objective of deter- 
mining areas where system improvement might be accomplished. 
Specific system improvement proposals were identified and dis- 
cussed by the simulator pilot subjects and the DAAS system engi- 
neers. Changes were defined based on both their desirability and 
their effect on DAAS complexity. 

System improvements are those changes which would enhance the 
operational acceptability of the DAAS pilot /system interface. An 
iterative approach to the simulator program allows the verifica- 
tion of the DAAS functional performance, including improvements 
as they are defined. 

Simulator program change proposals were judged in light of the 
over-all objectives of DAAS, i.e., improve the safety and depend- 
ability of general aviation IFR operations without increasing 
pilot proficiency requirements or the cost of the avionics. 
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Two General Aviation pilot evaluations were conducted during the 
development of DAAS prior to this report. In addition, NASA 
Research Pilot Gordon Hardy examined DAAS frequently during DAAS 
development . 

The first evaluation was conducted in October 1979. Three 
General Aviation pilots participated. The three pilots were. 

J. Lindberg, Instrument Flight Training, a Division of Van Dusen; 
R. Albertson, representing King Radio; and W. Unternaehrer , 
Honesnvell Avionics Engineering. All three have airline type 
pilot ratings, although they have never flown for an airline. 

Two pilots, Lindberg and Albertson, are designated FAA Flight 
Examiners. Pilot participant experience is described in Section 
3.1 of this report. 

A four hour system briefing was conducted followed by one hour of 
simulator time for each evaluation pilot. Following this exposure 
to the system, a four hour debrief and discussion was conducted 
on all functions examined in the simulator. Comments were favor- 
able, and a number of DAAS features were considered excellent. 

For example, the capability of map slewing and automatic waypoint 
generation received high ratings. The evaluation results were 
positive for the most part, though some concerns were pointed out. 
An example of a concern was the effectiveness of touchpoint data 
entry both on the ground and during flight . The problem centers 
around inadvertent entries and concern for difficulty making data 
entries during flight turbulence. 

There were thirty-five pilot comments made regarding suggestions 
for improvements to the DAAS. Many of these have subsequently 
been incorporated. 
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The second evaluation was conducted on March 1980. Four General 
Aviation pilots participated. The four pilots were D. Rodgers, 
King Radio; R. Albertson, King Radio, W. Unternaehrer , Honesnvell, 
and Larry Peterson, Honesrwell. A detailed briefing was per- 
formed. The pilots then flew a scenario (see paragraph 2.3.2, 
scenario) in the simulator which required input of initial data, 
navigation data, checklists, interaction with EHSI and autopilot. 
Man Machine Science specialists monitored each pilot in his per- 
forming the scenario. Questions and comments of a human engineer- 
ing nature were recorded. Following the flights each pilot filled 
out a questionnaire. The combination of close monitoring during 
the scenario flight, the questionnaire data, and individual pilot 
debriefs provided comprehensive evaluation of the DAAS. This in- 
formation has been assessed and the results are discussed in 
section 3 of this report. 

The evaluation participants were generally enthusiastic about the 
DAAS concept and functional configuration. Access to data was 
considered to be significantly enhanced. Navigation, with stored 
data base and map display, was considered to reduce pilot work- 
load and improve pilot capability in the terminal area. DAAS 
capabilities to support good pilot practices in weight and bal- 
ance computations and take-off performance computation, as well 
as DAAS precise navigation capability, were judged to potentially 
improve general aviation flight safety. 

Evaluators generally agreed that (1) DAAS type systems can pro- 
vide greatly expanded functional capabilities, and (2) minimizing 
complexity and optimizing the pilot system interface is a major 
challenge. 
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2.3.2 Simulator Description 


2. 3. 2.1 General Purpose Facility — The DAAS simulator is a 
general purpose facility consisting of the following primary 
components : 

• Data General Eclipse S/200 CPU 

• Data General Nova 3/12 CPU 

• 16-bit parallel DMA between above CPUs 

• Datel System 256 Hybrid I/O Unit with 32 D/A and 64 A/D 
channels 

• Discrete I/O with 16 inputs and 16 outputs 

• Megatek MG552 Graphics Generator Unit 

• Pace 231R Analog Computer 

The Nova 3/12 CPU and Megatek graphics unit generate multiplexed 
alphanumeric and graphic formats with associated blanking signals 
to drive two independent direct-draw CRT displays. Other digital 
simulation tasks and hybrid I/O are performed by the Eclipse S/200 

2. 3. 2. 2 DAAS Simulation Hardware — The fixed base mockup of the 
pilot's control station includes seat, instrument panel, flight 
controls, and engine controls configured to the approximate dimen- 
sions in a Cessna 402. Since outside visual scene generation was 
not available, only IFR flight conditions were simulated. 

Functional Controls — The following pilot controls are func- 
tional in the simulator’ 
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• Ailerons and Elevator — Spring centered control wheel with 

hydraulic dampers on each axis. 

• Rudder — Spring centered pedals. 

• Elevator Electric Trim Switch — On control wheel. 

• Flap Position. 

• Autopilot Mode Control — King KMC 340. 

• Control Wheel Steering Switch — On control wheel. 

• Autopilot Dump Switch — On control wheel. 

• Go-around Switch — On left throttle grip. 

• Throttle — Left lever functional. 

• RPM — Left lever functional. 

• Mixture — left lever functional. 

• Gear Switch. 

• IDCC Touch Panel — Eight touch points. 

• IDCC Function select Keys — 18 keys. 

• IDCC Alphanumeric Keypad — 15 keys. 

• IDCC Enter and Backspace Keys. 

• EHSI Cursor Slew Control 
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Functional Displays — The following pilot displays are func- 
tional : 

• FDI — King KCI 310 

• EHSI — 4 X 5-inch direct draw CRT (Tektronix Mod. 608) 

• IDCC — 4 X 5-inch direct draw CRT (Tektronix Mod. 608) 

• RMI — King KI 581 

• Mode Annunciator — King KAP 315 

• Airspeed Indicator — 2.75-inch meter with 250-deg. pointer 
range 

• Baro Altimeter — three pointer DC servo drive 

• Vertical Speed — 250-deg, 2.75-inch meter 

• Manifold Pressure - 250-deg, 2.75-inch meter 

• RPM — 250-deg, 2.75-inch meter 

• Fuel Flow — 250-deg, 2.75-inch meter 

• Aircraft Clock 

• Master Caution and Warning Lights 

The KI 581 Radio Magnetic Indicator, listed above, is similar 
in appearance to the KI 226 , and was recommended by King Radio 
for use in the simulator. Simulated IDCC and EHSI displays dif- 
fer from the 4. 5-inch-square displays with in-raster symbol gener- 
ation presently planned for use in DAAS. The simulator facility 
IS currently limited to direct-draw display generation. Tektronix 
608 Monitors approximate the planned for use in DAAS. The simu- 
lator facility IS currently limited to direct-draw display gener- 
ation. Tektronix 608 Monitors approximate the planned DAAS dis- 
play dimensions to within 0.5 inch, and can be driven by the X, 
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Y, Z, and blanking outputs produced by the facility's existing 
graphics generator unit . 

Installation of one King KY 196 Comm Transceiver and a KT76A 
Transponder in the simulator is included to provide the means for 
exercising these functions in the pilot's procedural sequence. 

Labeled paste-ups of all remaining indicators are included on the 
simulated instrument to demonstrate DAAS and backup pilot panel 
layouts. 

Simulator Hardware Interfaces — Figure 2-15 summarized inter- 
faces between the facility computers and control/display devices. 
The analog computer is used only for gain and null settings on 
proportional controls and DC-meter panel instrvunents . 

2. 3.2. 3 DAAS Simulation Software — Software was developed 
for digital simulation of the following system and environmental 
components : 

• Aircraft and engine 

• Flight control system 

• Mean wind and gusts 

• Ground navigation 

• Navigation algorithms 

• Sensor outputs 

• IDCC functions, paging and display formats 

• EHSI display formats 

• System failures and other unplanned events 


51 



TERMINAL 

DISC 

MAG TAPE 

LINE 

PRINTER 


TERMINAL 

DISC 



THROTTLE, RPM, MIXTURE. 
AND FLAP CONTROLS 


AILERON, ELEVATOR. RUDDER, 
TRIM, AND GEAR CONTROLS 


PANEL INSTRUMENTS 


PANEL INSTRUMENTS 


HSI CURSOR CONTROL 
AND FCS MODE SWITCHES 


ANNUNCIATOR LIGHTS 
AND INSTRUMENT FLAGS 


IDCC KEYS AND 
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Figure 2-15. Simulator Hardware Interfaces 
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Digital Program Description — The digital program is divided 
into a set of modules or subroutines, all sharing a common data 
base. This data base consists of two arrays* one real array 
consisting of up to 1000 real variables, and the second an in- 
teger array consisting of up to 500 integer or logical variables. 
Each element of the arrays is equivalenced to a mneumonic of six 
letters or less. The following software subroutines are included. 

ARPLN — Aircraft equations of motion 

LACL — Lateral axis control law 

PACL — Pitch axis control law 

ENGIN — Engine model 

MODSL — Mode select logic 

ADC — Analog to digital converter 

SERVO — Servo model 

DISIO — Discrete input/output processing 

SNMOD — Sensor model 

ALTHLD — Altitude hold model 

NAVCM — Navigation computations 

SERIO — Serial input /output processing 

IDCC - IDCC display processing 

EHSI — EHSI display processing 

INSTR — Instrumentation signal processing 

All subroutines are called by an executive routine which also 
controls system timing by utilizing an interrupt driven real time 
clock. 
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2.3.3 Pilot Evaluations 


Several indices were used to assess the pilots' responses to the 
DAAS system simulation. These included observation of the pilots 
during the actual simulation exercise, as well as a paper-and- 
pencil questionnaire and informal debriefings following each ses- 
sion. The combination of these evaluation techniques yielded a 
relatively comprehensive assessment of the pilots' impressions of 
DAAS. These results are presented in section 4 of this report. 

In addition to evaluative data, the pilots were also asked to 
provide general background information. Each pilot was asked to 
fill out a brief questionnaire outlining his previous flight his- 
tory and current credentials. Appendix A contains the subject 
profiles that were compiled from the completed questionnaires. 

2.3.4 Evaluation Procedure 

The DAAS evaluations consisted of four elements. 

1. Pilots were briefed on the DAAS system and the aspects of 
it that were to be evaluated. 

2. Pilots then flew the simulator following a scenario for a 
planned flight of approximately 15 to 20 minutes. 

3. Immediately following the simulator exercise, each pilot 
filled out a questionnaire while elaborating verbally 

on their responses. 

4. Debriefing by means of an informal, on-going discussion 
with one or more pilots present completed the evaluation 
procedure. 
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2. 3.4.1 Briefing of Subjects — Briefings were given to the DAAS 
evaluation pilots who were not directly associated with the de- 
sign of DAAS. These briefings emphasized the functional charac- 
teristics of DAAS and the particular aspects that were to be 
evaluated. 


The briefings followed the outline as follows 

1. Objectives of DAAS 

2, Description of Controls and Displays 

2.1 Airspeed Indicator 

2.2 Attitude Director Indicator 

2.3 Mode Annunciator Panel 

2.4 Altimeter 

2.5 Altitude Rate Indicator 

2.6 Electronic Horizontal Situation Indicator and Controls 

2.7 Engine Instruments 

2.8 Integrated Data Control Center 

2.8.1 Display 

2.8.2 Touchpoint s 

2.8.3 Page Select Buttons 

2.8.4 Navigation Buttons 

2.8.5 Keyboard 

2.9 Caution and Warning Lights 

2.10 Autopilot Control Panel 

2.11 Miscellaneous Controls 
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2.11.1 Flap Control 

2.12.2 Throttle Quadrant 

2.11.3 Go Around Switch 

2.11.4 Trim Switch 

2.11.5 Autopilot Disengage Switch 

2.11.6 Control Wheel Steering Switch 

3. IDCC Functions and Pages 

3.1 Initialization 

3.2 Weight and Balance 

3.3 NAVAID Data and Storage 

3.4 Waypoint Data 

3.5 Flight Status 

3.6 Take Off and Cruise Performance 

3.7 Check Lists 

3 . 8 Emergency Procedures 

4. EHSI Functions and Features 

4.1 Heading Indication 8s Heading Select 

4.2 Display Format 

4.2.1 RNAV linked 

4.2.2 RNAV unlinked 

4.2.3 VOR 

4.2.4 ILS 

4.3 Vertical Track Angle and VNAV 

4.4 Waypoint Bearing Indicator 
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4.5 Miscellaneous Indications 
MDA or DH 

Waypoint in use and available 
Course 

Distance to Waypoint 
Time to Waypoint 
Waypoint Altitude 
Radios in use 


4.6 

Heading/North Up 

4.7 

Map Scales 

* 

Navigation Features 

5.1 

Map Review 

5.2 

Map Slew 

5.3 

Map Return 

5.4 

Use Button 

5.5 

Course Select 

5.6 

Auto Sequence 

5.7 

Horizontal Direct 

5.8 

VNAV 

5.9 

Waypoint Generate 

5.10 

Delete Waypoint 

5.11 

Insert Waypoint 

5.12 

Cursor Use 
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6. Attitude Director Indicator 

6.1 Horizon 

6.2 Command Bars 

6.3 Localizer Deviation 

6.4 Glide Slope Deviation 

6.5 VNAV Deviation 

6.6 MDA and DH Indicators 

7, Autopilot Mode Select Panel 

7 . 1 Yaw Damper 

7.2 Flight Director 

7.3 Autopilot 

7.4 Altitude Arm, Hold and Trim 

7 . 5 VNAV 

7.6 Heading Select 

7 . 7 Approach 

7.8 Navigation 

2. 3. 4. 2 Evaluation Scenario, Minneapolis Area — The evaluation 
scenario was planned for approximately 15 to 20 minutes of flight 
starting with a takeoff from the Minneapolis, St. Paul Inter- 
national Airport as waypoint 1, hence to waypoint 2, STILS inter- 
section, hence to waypoint 3, RENEW intersection; hence to way- 
point 4, BONNA Initial Approach Fix for an RNAV approach to Rwy 
29 Right , with waypoint 5 the missed approach point located at 
the landing end of Rwy 29 Right. Figure 2-16, Minneapolis local 
area victor airway IFR map, describes the flight route. 
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The flight time of 15 to 20 minutes was of sufficient duration to 
permit the exercising of the DAAS functions. Preparation for the 
flight, the entry of data via keyboard into the IDCC such as take- 
off performance calculations, weight and balance etc. , took an 
additional 15 to 20 minutes. Thus, the evaluation pilot was in 
the simulator seat for about 40 minutes, which was not long 
enough for either fatigue or boredom to enter the evaluation 
equation . 

The NAVAID Data entered into DAAS is described in Table 2-1 and 
consists of the VOR/DME stations used for waypoint definition. 
Table 2-2 lists the waypoints and describes the vertical naviga- 
tion profile. Figure 2-17 is the RNAV approach chart for Minne- 
apolis, St. Paul, International Airport Rwy 29 Right. 

The following is a description of the scenario in the order of 
actual events. 

1. Review flight plan as shown in Figure 2-16. 

2. Power-up system - IDCC INIT PAGE appears. Pilot enters 
Zulu time (GMT). 

3. Press MENU button and select touchpoint WEIGHT &, BALANCE 

4. WEIGHT & BALANCE, Pages 2 through 3 - Enter passenger, 
cargo and fuel weight as appropriate. Review results on 
page 3 to see that the calculated CG is between the forward 
and aft limits and that the maximum takeoff weight is not 
exceeded. Transfer results to INIT page. 

5. Press MENU button and select touchpoint TAKEOFF PERFORMANCE. 
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Table 2-1. NAVAID Data for Evaluation Scenario 


NAVAID 

No. 

Frequency 
I .D. 

Elevation 

Latitude 

Longitude 

Variation ' 

1 

MSP 117.3 

880 

N4508 . 7 

W09322.4 

6E 

2 

FGT 115.7 

930 

N4437 9 

W09310.9 

6E 

3 



N 

W 


4 



N 

W 


5 



N 

W 


6 



N 

W 


7 



N 

W 


8 



N 

W 


9 



N 

W 


0 



N 

W 
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Table 2-2. Waypoint Data for Evaluation Scenario 


DAAS Waypoint Data Sheet 

WP 

NAVA ID 
No ID 

Frequency 

Elevation 

(Ft) 

CRSl 

(Deg) 

CRS2 

(Deg) 

Radial 

(Deg) 

Distance 

(NM) 

1 

Altitude 

(Ft) 

Offset 

(NM) 

RNAV/VOR/ILS 

MDA 

1 

1 

MSP 





151 0 

17 1 





2 

1 

MSP 





094 

28 0 

3000 

4 0 



3 

1 

MSP 


^nitial Approach 
^ 


110 

32 0 

4000 

2 0 

' 


4 

2 

FGT < 

^ 




035 

13 0 

4000 




5 

It 

2 

FGT 





352 

15 0 

1400 



1400 

6^ 















Y 

Missed Approach Point 
(MAP) 









7 


V, 

) 








8 













9 













0 
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Figure 2--17, Minneapolis-St. Paul International 
RNAV Rwy 29 Right 
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6. TAKEOFF PERFORMANCE - Enter all appropriate data for take- 
off. Review results of computation on page 2. 

7. Press MENU button and select touchpoint CRUISE PERFORMANCE 

8. CRUISE PERFORMANCE - Enter appropriate data for cruise. 

9. Press NAVAID DATA button - enter VOR/DME data for appropri- 
ate NAVAID stations required to define waypoints for flight 
planned. See Table 2-1 for NAVAID data entry. Press 
NAVAID SUM button to review the data entered. 

10 Press WAYPOINT DATA button - enter waypoints that define 
intended flight. Review data entered by flipping through 
waypoint pages 1 through 5. See Table 2-2 for waypoint 
(WP) data for evaluation scenario. 

11. Using Electronic Map Slew lever and appropriate map scales, 
review the entire flight. 

12. Prepare for takeoff using IDCC checklists. 

13. Takeoff; engage auto pilot after airborne; climb to 400 
feet; use heading select to turn for an intercept with 
course 1 of WP2; activate autopilot NAV ARM; and as air- 
craft couples and settles down on course 1, select auto- 
pilot VNAV. Press AUTO SEQ button for course 1 to switch 
automatically to course 2. 

14. Halfway to WP3, make WP3 active and press USE button. 

15. Press FLIGHT STATUS button for true airspeed, ground speed, 

wind, ETA, and fuel available. 
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16. Halfway to WP4, make WP4 active and press USE button. 

17. Waypoint 4 is BONNA, the initial approach fix CIAF) for 
approach to Rwy 29 Right. At 3 miles from WP4, slow air- 
craft to 120 kts and review landing checklist. See Figure 
2-17, RNAV Approach Chart Minneapolis Rwy 29 Right. 

18. Over WP4, extend landing gear and flaps. 

19. Select WPS MAP active and press USE button. 

20. Monitor indicated airspeed to 100 kt and glide slope to 
about 3 degrees on the EHSI Vertical Track Angle indicator. 

21. At the minimum descent altitude (MDA) the aircraft goes to 
altitude hold and passes over WPS MAP. End of evaluation 
scenario. 

2. 3.4. 3 Post-Scenario Questionnaire — A post-scenario question- 
naire was developed to provide quantitative assessment of pilot 
response to the human factors characteristics of the DAAS simula- 
tion scenario exercise. Rating scales were used to assess re- 
sponses to overall system operation, as well as specific charac- 
teristics of the IDCC and EHSI keyboards and displays. The 
questionnaire addressed each of the following areas- 

• Overall System Operation 

- Workload assessment 

- Adequacy of information provided 

- Relevancy of information provided 

- Time assessment 

- Potential training requirements 
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• Time 

• Method (simulator versus isolated CRT displays) 

• IDCC Keyboard and Display 

- Ease of data entry 

• Time required 

• Keyboard location 

• Keyboard format 

- Adequacy of information displayed 

• Major functions/menu selections 

• Feedback for error corrections 

• EHSI Keyboard and Display 

- Ease of data entry 

• Waypoint insertion 

• Keyboard location 

- Adequacy of information displayed 

• General Comments 

The post-scenario questionnaire was given to each pilot immedi- 
ately following the simulation exercise. Administration of the 
questionnaire was informal, and verbal comments from the pilot 
elaborating on their responses to each item were encouraged. 

Thus, the questionnaire also served as a point of departure for 
the debriefing discussions which followed. 

2. 3.4.4 Debriefing — Debriefing involved informal ongoing dis- 
cussion with one or more of the pilots present at any given time. 
Thus, pilots were able to discuss the simulation from several 
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viewpoints. The result was an indepth analysis of both the func- 
tional characteristics of DAAS and its general acceptability as a 
future on-board system. 


2.4 FAILURE MODE AND EFFECTS ANALYSIS (FMEA) 

The intention of this FMEA is to analyze the effects of failed 
DAAS elements, the probability of the failures, and how the pilot 
workload and the flight safety situation are affected by the fail- 
ures. The importance of the safety pilot is discussed. DAAS 
compatibility to FAR Parts 23 and 91 is also assessed. 

Assessment of DAAS compliance with FAR requirements, and analysis 
of failure effects in general can be summarized as follows: 

• Failure Effects with Respect to FAR Requirements 

- Of the 86 DAAS elements analyzed, FAR Parts 23 and 91 
VFR and IFR CAT 1 requirements are applicable to 36. 

There are no conflicts for fault-free DAAS. 

- 25 DAAS elements may fail without violating any FAR 
requirements . 

- 11 failed elements violate FAR 23. 1329. e for the initial 
DAAS design. These 11 failures violate FAR 23.1329e 
which says • 

"Each system must be designed so that a single mal- 
function will not produce a hardover signal in more 
than one control axis." 
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Recommendat ion — The FAR 23.1329. e conflict was resolved by 
introducing 3 hardware limiters located down stream of the 
pitch, roll, and yaw D/A converters. These limiters will 
prohibit any DAAS computer failure from commanding the 
servos hardover. 


• Failure Effects, General — The 86 DAAS elements were split 
into the 4 failure categories: 


22 Elements - Category 1, Failure Effects 

36 Elements - Category 2, Failure Effects 

26 Elements - Category 3, Failure Effects 

2 Elements - Category 4, Failure Effects 


Negligible 

Inconvenient 

Demanding 

Critical 


The two critical failures are Aircraft 28-Vdc and Avionics 

28-Vdc bus. The category 4 failure probability is very low, 
—6 

less than 10 for a 4-hour flight. 


Recommendat ions 


1. The DAAS failure effects are not critical with the 
exception of the Aircraft and Avionics 28-Vdc bus 
failure. The probability of these failures happening 
is low enough to make them negligible. No action 
required. 

2. Flight safety is dependent on the safety copilot. He 
should closely monitor the DAAS performance, especially 
at low altitude, take-off, and landing conditions, 
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Following are the details of the analysis including description 
of the DAAS system analyzed, assessment of DAAS compliance with 
FAR requirements, and description of the FMEA results. 

2.4.1 DAAS System Description 

The present DAAS is defined in the following documents. 

1. Functional description, NASA DAAS Phase 2, dated October 
15, 1980. 

2. DAAS System Specification (YG1210) preliminary copy 
December 1979. 

3. Software requirements for the DAAS FCS, Version 5, October 
1979. 

4. Miscellaneous diagrams and papers describing the Cessna 
402B cockpit, servos, etc. 

2.4.2 Assessment of Compliance With FAR Requirements 

FAR Parts 23 and 91 are applicable to DAAS. The applicable FAR 
paragraphs are restated below and comments given as to how they 
are net by DAAS. 

2.4.2. 1 FAR Part 23 Equipment, Systems and Installations — The 
DAAS, when installed in the aircraft, must meet the following re- 
stated FAR Part 23 requirement : 
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Requirement , 23 . 1309 


(a) Each item of equipment, when performing its intended func- 
tion, may not adversely affect 

(1) The response, operation, or accuracy of any equipment 
essential to safe operation; or 

(2) The response, operation, or accuracy of any other 
equipment unless there is a means to Inform the pilot 
of the effect. 

(b) The equipment, systems, and installations of a multiengine 
airplane must be designed to prevent hazards to the airplane 
in the event of a probable malfunction or failure. 

(c) The equipment, systems, and installations of a single-engine 
airplane must be designed to minimize hazards to the air- 
plane in the event of a probable malfunction or failure. 

Comment . 

The DAAS development program should eliminate adverse affects 
specified in item a. Tests in simulators, qualifications tests, 
and checkout in the aircraft shall verify that no undesired 
interaction exists. 

The DAAS design and included limiters, monitors, warnings, etc., 
satisfy the item b or c requirements. 

2. 4. 2. 2 FAR Part 23, Requirements of the Autopilot — The Auto- 
pilot (sensors, computer, servos) must meet the FAR Part 23.1329 
requirement as follows: 
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Requirement , 23 . 1329 a to g 


(a) Each system must be designed so that the automatic pilot can 

(1) Be quickly and positively disengaged by the pilots to 
prevent it from interfering with their control of the 
airplane, or 

(2) Be sufficiently overpowered by one pilot to let him 
control the airplane. 

b, c, g requires a certain cockpit design in order to eliminate 
pilot confusion and simplify use of the autopilot. 

a,d,e,f requires a certain system design to minimize the Impact 
of autopilot malfunction. 


Comment 


The autopilot dump switches (control wheel, N^-accelerometer ) and 
the slip clutch included in the elevator, aileron, and rudder 
servos provide the required protection. 


The slip clutches are designed to prevent excessive accelerations 


Requirement 23.1329 b 

(b) Unless there is automatic synchronization, each system must 
have a means to readily indicate to the pilot the alignment 
of the actuating device in relation to the control system it 
operates . 
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Comment . 


The position of the control wheel, pedals and the trim indicators 
indicate the alignment. 

Requirement 23.1329 c 

(c) Each manually operated control for the system operation must 
be readily accessible to the pilot . Each control must oper- 
ate in the same plane and sense of motion as specified in 
23.779 for cockpit controls. The direction of motion must 
be plainly indicated on or near each control. 

Comment : 

DAAS panel layout agrees with the FAR requirements. 

Requirement 23.1329 d 

(d) Each system must be designed and adjusted so that, within 
the range of adjustment available to the pilot, it cannot 
produce hazardous loads on the airplane or create hazard- 
ous deviations in the flight path, under any flight condi- 
tion appropriate to its use, either during normal operation 
or in the event of a malfunction, assuming that corrective 
action begins within a reasonable period of time. 

Comment 
Met by 

1. Software limiters, 3-axis 

2. Software "faders” in pitch and roll 
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3. Slip clutches 

4. Pitch trim monitor 

5. The Nz> "IG-Dump accelerometer". 

Requirement 23.1329 e 


(e) Each system must be designed so that a single malfunction 
will not produce a hardover signal in more than one control 
axis. If the automatic pilot integrates signals from auxil- 
iary controls or furnished signals for operation of other 
equipment, positive interlocks and sequencing of engagement 
to prevent improper operation are required. 

Comment : 

This requirement can be met by implementation of hardware servo 
command limiters. (Note. Limiters have been added to flight 
system. ) 

Requirement 23 . 1329 f 

(f) There must be protection against adverse interaction of 
integrated components, resulting from a malfunction. 

Comment : 


Met by 

1 . Buffers eliminating part damage. 

2. Limiters and monitors eliminating excessive commands. 
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Requirement 23.1329 g 


(g) If the automatic pilot system can be coupled to airborne 

navigation equipment, means must be provided to indicate to 
the flight crew the current mode of operation. Selector 
switch position IS not acceptable as a means of indication. 

Comment : 

The annunciator panel provides the requested information. 

2.4.2. 3 FAR Part 91, Instruments, and Equipment Requirements — 
FAR Part 91.33, a to e , specifies instrument and equipment re- 
quired for powered civil aircraft with U.S. air worthiness cer- 
tificates as follows 


(a) 

General 



(b) 

VFR flight. 

day 


(c) 

VFR flight. 

night 


(d) 

IFR flight. 

category 

I 

(e) 

IFR flight. 

category 

above 24,000 feet 

(f) 

IFR flight, 

category 

II 


IFR category II is not applicable to DAAS. 
The requirements are summarized as follows. 
Requirement 91.33b 


(b) Instruments required for VFR Flying, Day 
(1) Airspeed indicator. 
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(2) Altimeter. 

(3) Magnetic direction indicator. 

(4) Tachometer for each engine. 

(5) Oil pressure gauge for each engine using pressure 
system. 

(6) Temperature gauge for each liquid-cooled engine. 

(7) Oil temperature gauge for each air-cooled engine. 

(8) Manifold pressure gauge for each engine. 

(9) Fuel gauge indicating the quantity of fuel in each tank. 

(10) Landing gear position indicator, if the aircraft has a 
retractable landing gear. 

Comment — The DAAS instrumentation includes the basic instruments 
required for VFR flight during daytime. 


Requirement 91.33c 


(c) For VFR night flights additional lights and an anticollision 
light system are required. 


Comment — It is assumed that the DAAS aircraft is properly 
equipped in this respect. 


Requirement 91 . 33d 

(d) For IFR flight the following instrximents and equipment are 
required. 
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(1) Instruments and equipment specified in paragraph (b) 
of this section and for night flight, instruments and 
equipment specified in paragraph (c) of this section. 

(2) Two-way radio communications system and navigational 
equipment appropriate to the ground facilities to be 
used. 

(3) Gyroscopic rate-or-turn indicator, 

(4) Slip-skid indicator. 

(5) Sensitive altimeter adjustable for barometric pressure. 

(6) Ac ock displaying hours, minutes, and seconds with a 
sweep-second pointer or digital presentation. 

(7) Generator of adequate capabity. 

(8) Gyroscopic bank and pitch indicator (artificial horizon). 

(9) Gyroscopic direction indicator (directional gyro or 
equivalent ) . 

Comment — The above listed instrumentation are included in DAAS . 

There is no requirement on redundancy stated in this paragraph. 

Requirement 91 . 33e 


(e) IFR flight at and above 24,000 feet MSL. 

If VOR navigational equipment is required under paragraph 
(d) (2) of this section, no person may operate a U.S. regis- 
tered civil aircraft within the 50 states, and the District 
of Columbia, at or above 24,000 feet MSL unless that air- 
craft is equipped with approved distance measuring equipment 
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(DME). When DME required by this paragraph fails at and 
above 24,000 feet MSL, the pilot in command of the aircraft 
shall notify ATC immediately, and may then continue opera- 
tions at and above 24,000 feet MSL to the next airport of 
intended landing at which repairs or replacement of the 
equipment can be made. 

2.4.3 DAAS Failure Modes and Effects Analysis Results 

The DAAS FMEA was conducted to determine effects of failures in 
the DAAS hardware. Assumptions for the analysis were as follows 

• DAAS is designed for category I IFR operation 

• All single failures and dual failures with high failure 
rates are studied. 

• Any failure in any element is assumed to result in a lost 
function of that element, which makes this a " worst case " 
analysis . 

• The autopilot slip-clutches, the pilot (and N ) dump 

z 

switches, and the pilot and copilot override possibilities 
provide the pilots adequate means to safely handle any 
single control axis hardover servo failure. 

0 

• The probability of a critical situation less than 10~ in a 
4-hour flight is judged to be negligible. 

• Pref light test and inflight bit are performed. Autopilot 
dump switching, normal acceleration dump switch, and servo 
clutch switches must be checked. 
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The preflight test coverage will be less than 100 percent 
due to nontestable elements. Expected fault detection 
coverage is 


Sensors 


70-80% 

Computers 


90-95% 

Indicators and 

Servos 

80-90% 

Monitors, Dump 

Switches, Clutches 

100% 


Some takeoffs may take place with faulty system elements due 
to less than 100 percent pref light test coverage. 

• Effective DAAS software validation will be performed. 

• The four Failure Categories are. 

1. Negligible to the pilot 

2. Inconvenient to the pilot 

3. Demanding to the pilot 

4. Critical, evident risk for catastrophe 

Fault categorization assumes a single pilot. In the conclu- 
sions, judgments are given on how the safety pilot improves 
the DAAS flight-safety situation and how failure probabili- 
ties affects the DAAS flight safety situation. 

• FAR Part 23 and 91 requirements are assumed to define a mini- 
mum avionics system, which is normally safe to fly. 

• DAAS failure rates used in the FMEA are as listed in Table 
2-3. The failure rate is the probability of a failure in a 
DAAS element during 1 hour flight . 
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Table 2-3. DAAS Elements Failure Rates 


Elements 

Type 

No 

Quantity 

n 

Failure 

Rates 

Total 

Rates 

Comments 

1 DAAS Elements 

Hardwired t( 

0 DAAS-Comp 

uters 




Bubble Memory 


1 

500 

500 



CPU & RAM/ PROM 

8086 

7 

60 

420 

(20 

and 80%) 

Radio Adapt Box 

(8748) 

1 

40 

40 



BIM 

(9914) 

8 

12 

96 



488-Bus 


1 

1 

1 

Incl 

2 Connectors 

A/D, D/A, Mux 


1 

60 

60 



EHSI 


1 

300 

300 



IDCC 


1 

300 

300 



IDCC Keyboard 


1 

50 

50 



ADI 

EC1310 

1 

340 

340 



RMI 

KZ226 

1 

330 

330 



CX-Sens & Indie. 


1 

100 

100 



Pitot System L 


1 

50 

50 

Not 

electrically hardwired^ 

Encod Altim 

-571 

1 

200 

200 



Audio Cont Panel 

KMA 24 

1 

200 

200 



Comm Tranceivers 

KY196 

2 

330 

660 



VOR Receivers 

KN53 

2 

250 

500 



DME Receivers 

KN62A 

1 

500 

500 



Transponder 

KT76A 

1 

400 

400 



Mode Controller 

KMC- 340 

1 

340 

340 



Annunciator Panel 

KAP-315 

1 

30 

30 



MAG X MTR 

KMT112 

1 

20 

20 



Directional Gyro 

KSG105 

1 

330 

330 



Slave Control 

KA-51A 

1 

10 

10 



Vertical GYRO 

VG 208 

1 

330 

330 



Radar Altimeter 

RT-271 

1 

500 

500 



ADC 

KDC-380 

1 

200 

200 



True Air Speed 

VA 210 

1 

100 

100 

Incl 

. F/V Converter 

Outer Air Temp 


1 

10 

10 

Incl 

Sign Conditioning 

Yaw Rate GYRO 

GG 2472 

1 

50 

50 



Engine Map 


2 

5 

10 



Engine RPM 


2 

10 

20 

Incl 

F/V Converter 

Engine Fuel Flow 


2 

5 

10 



Cowl Flap Pos 


2 

5 

10 



Flap Pos 


1 

20 

20 



Elev Trim Pos 


1 

20 

20 



Yaw Servo 


1 

70 

70 

Incl 

. Clutch & Amplif 
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Table 2-3. DAAS Elements Failure Rates (2 of 2) 


Elements 

Type 

No 


Quantity 

n 

Failure 

Rates 

Total 

Rates 

Comments 

Roll Servo 



1 

70 

70 

Incl Clutch Sc Amplif 

Pitch Servo 



1 

70 

70 

Incl Clutch Sc Amplif 

Pitch Trim Servo 



1 

50 

50 

Incl Clutch Sc Amplif 

2 DAAS Instrumentation not 

Hardwired to DAAS Computers 

IAS 



1 

280 

280 

Pitot System L 

VS I 



1 

100 

100 

Pitot System L 

Turn & Bank 



1 

150 

150 


Fuel Quantity 



1 

150 

150 


Map 



1 

10 

10 


RPM 



1 

10 

10 


Fuel Flow 



1 

10 

10 


EGT 



1 

10 

10 


Engine Status 



2 

20 

40 


3 Co-Pilot Back U 

p Instrume 


itation 




Pitot System R 


1 

50 

50 


IAS 


1 

280 

280 


Altimeter 


1 

180 

180 


VS I 


1 

100 

100 


Turn & Bank 


1 

150 

150 


Art if 1C Horizon 

KG258 

1 

670 

670 


PNI 

KC525A 

1 

330 

330 


Slave CTRL 

KA-51A 

1 

10 

10 


Direct GYRO 

KG102-A 

1 

400 

400 


MAG X MTR 

KMT112A 

1 

20 

20 


Comm Tranceiver 

422A 

1 

660 

660 


VOR/GS, Receiver 

442A/443A 

1 

500 

500 

Incl Nav Converter 

4 Electrical Powe 

r System 





A/C 28VDC Bus 


1 

< 1 

< 1 

Redundant Alternators 






pilot disconnect faulty 

Avionics 28VDC Bus 


1 

< 1 

< 1 

battery > ' 

DAAS A 28VDC Bus 


1 

^ 1 

^ 1 

Valid as long as DAAS 

DAAS B 28VDC Bus 


1 

^ 1 

.. 1 

Battery Lasts ( - 1 hr ) 

DAAS Battery Chrgr 


1 

5 

5 


DAAS Battery 


1 

100 

100 


DC/AC Invertor 


1 

10 

10 


DC/DC Converter 


2 

15 

30 
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For the failure probability estimates, 4 hours flight time 
are assumed. 

The failure rates in Table 2-3 are collected from adjusted 
MIL-HDB-217B data, vendors reliability data, Honeywell pre- 
dicted failure rates and by comparison to known similarly 
complex elements. 

The failure rates should be representative of components and 
parts available in 1979/80. 

FMEA results are compiled in Appendix B. The DAAS elements are 
defined on these forms and the type of failure and the failure- 
rates are also listed. The impact of a faulty element on down- 
stream DAAS elements is also indicated. 

Finally, a judgment is made as to how the failed element will in- 
crease the pilot effort required to complete his flight. The 
failures are divided into the four categories on the basis of 
this judgment. 

The DAAS failure category is assigned assuming a co-ilot in the 
right seat . 

Appendix B also indicates whether; 

• FAR requirement are applicable and met . 

• Failure probabilities are significant to the risk situation. 

• DAAS would be safe to fly with the analyzed element faulty. 
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The FMEA covers the consequences of 86 failed DAAS elements. 

Table 2-4 summarizes failure categories and indicates whether 
applicable FAR requirements are met. Comments on redundancy, 
failure probability, etc. , are given for some failed elements. 

These FMEA results indicate that fault-free DAAS meets the FAR 
Part 23 and 91 requirements. DAAS does provide the required 
means for override and disengage after a failure. 

FAR requirements may more or less be violated if DAAS elements 
fail. Of the 86 failed DAAS elements studied, FAR VFR or IFR Cat 
I requirements apply to 36. For these 36 failed elements, 11 
violate the FAR requirements. FAR requirements that apply to 
general VFR flight, and 6 of these are not met. 13 requirements 
applying to IFR Cat I, 5 are not met. 16 requirements apply to 
IFR Cat II; DAAS is not certified for Category II. 

The violated paragraph is 23.1329(e) which says. 

"Each system must be designed so that a single malfunction 
will not produce a hardover signal in more than one control 
axis. " 

Violation occurs for failures in: 

• A/P, NAV, Bus Controller, Processors 

• 488-Bus 
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Table 2-4. 

Summary 

of the DAAS Failure Modes and 



Effects 

Analysis 


Failure 

Element 

Far Req 

Failure 

Comments 

No. 

Met 


Category 

1 

Encod . Altimeter 

OK Cat 

1 

3 

Misleads ATC 
Proximity W-Error 

2 

Altimeter Co-Pilot 

OK Cat 

2 

2 


3 

Radar Altimeter 

OK 


2 


4 

TAS 

N/A 


2 


5 

IAS Pilot 

OK Cat 

1 

2 


6 

IAS Co-Pilot 
ADC (380) 

OK Cat 
N/A 

2 

1 

Min. Alt. for ALTH 

7 


2 

Recommended 

8 

Pitot System L 

OK Cat 

1 

3 


9 

Pitot System R 

OK Cat 

2 

1 


10 

Oat 

N/A 


2 


11 

Pilot Mag XTMR 

OK Cat 

1 

3 


12 

Pilot Slave Indie. 

N/A 


1 


13 

Pilot Direct GYRO 

OK Cat 

1 

3 


14 

Pilot RMI 

OK Cat 

1 

2 


15 

Co-Pilot Mag. XTMR 

OK Cat 

2 

1 


16 i 

Co-Pilot Slave Indie 

N/A 


1 


17 

Co-Pilot Direct GYRO 

OK Cat 

2 

1 


18 

Co-Pilot PNI 

OK Cat 

2 

1 


19 

Pilot Turn & Slip 

OK Cat 

2 

1 


20 

Co-Pilot Turn 8c Slip 

OK Cat 

2 

1 


21 

Yaw Rate GYRO 

N/A 


2 


22 

X-Sensor & Indicator 

N/A 


2 


23 

Pilot Vert ical-GYRO 

OK Cat 

1 

2 


24 

Pilot ADI 

OK Cat 

1 

2 


25 

Co-Pilot Art if. Horiz. 

OK Cat 

2 

1 


26 

Map Inst rumen t 

OK Cat 

2 

2 


27 

RPM Instrument 

OK Cat 

2 

2 


28 

EGT Instrument 

N/A 


2 


29 

Eng. Status 1 

OK Cat 

2 

3 

Pilot Action 

30 

Eng. Status 2 

OK Cat 

2 

3 

As If Engine Failure 

31 

Fuel Flow Sens. 1 

N/A 


2 


32 

Fuel Flow Sens. 2 

N/A 


2 
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Failure 

No 

Element 

Far Req. 
Met 

33 


Fuel Quantity 

OK Cat 

2 

34 


DAAS Map Sensor 

N/A 


35 


DAAS RPM Sensor 

N/A 


36 


Wing Flp. Pos. Sens. 

N/A 


37 


Elev. Trim Pos. Sens, 

OK 


38 


Cowl Flps . Pos Sens . 

N/A 


39 


LDG Gear Pos. Sens. 

N/A 


40 


Door Pos. Sens. 

N/A 


41 


Aux. Fuel Pump Sw. 

N/A 


42 


Cws-Switch & Logic 

OK 


43 


Go-Around Switch 

N/A 


44 


Pitch Trim Switch 

N/A 


45 


Pitch Trim Button 

N/A 


46 


A/P Dump Sw. & Relay 

OK 


47 

a 

Co-Pilot Comm. 
Transievers , Antennas 

OK 



b 

Co-Pilot Comm. 
Transievers , Antennas 

OK 


48 

a 

Pilot Nav. 

Receiver + Antennas 

OK Cat 

2 


b 

Co-Pilot Nav. 
Receiver + Antennas 

OK Cat 

2 

49 


DME Receiv. + Ant. 

OK Cat 

2 

50 


Transponder + Ant , 

N/A 


51 


Audio Headsets 

OK 


52 


Switch Nav 1 Sel. 

N/A 


53 


Switch Nav 2 Sel. 

N/A 


54 


Switch DME Sel. 

N/A 


55 


Switch VOR Sel. 

N/A 


56 


Switch Loc/GS Sel. 

N/A 


57 


IDCC Keyboard 

N/A 


58 


IDCC Selector Switch 

N/A 


59 


IDCC CPU, Display 

N/A 


60 


EHSI Selector Switch 

N/A 



Failure 

Category 


Comments 









Redundant info . available 


A Software Controlled 
CWS Light Recommended 


Runaway Not Monitored 
2 Failures Probab. -lO' 

Duplex Probab, 


Single DME 

No Outsignal ATC Problem! 
DAAS Duplex 


Missed Pilot Input Check. 
Low Probability 
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Table 2-4. Summary of the DAAS Failure Modes and 
Effects Analysis (Sheet 3 of 3) 


— 

Failure 

Element 

Far Req. 

Failure 

Comments 


No . 

Met 

Category 


61 

EHSI CPU, Display 

N/A 

2 



62 

Annunciator Panel 

OK 

2 



63 

Mode Cont . Trim/Hdg. 

OK 

2 


- 

64 

Mode Cont. Toggle Sw 

OK 

2 



65 

Mode Cont, Solen, Sw. 

OK 

2 



66 

A/p Yaw Clutch, Servo 

OK 

2 



67 

A/P Roll Clutch Servo 

OK 

3 

- 


68 

A/P Pitch Clut. Servo 

OK 

3 



69 

A/P Pitch Trim Servo 

OK 

3 



70 

Clutches Common Logic 

OK 

3 



71 

A/P-I/0 CPU, BIM 

NOT OK 

Q 

Fault During Critical 


A/P-I/0 A/D, D/A, MUX 

o 

Fault Phases 


72 

NAV/FLT PLN CPU, BIM 

NOT OK 

2 

Probab. No Recon. 30*10 ^ 
Probab, Recon. 6*10^^ 


73 

Spare CPU, BIM 

N/A 

2 

Probab. <10~® 


74 

Radio Adapter Box 
and BIM 

N/A 

3 

Critical Fault Phase 

- 

75 

Dabs Transponder 
CPU + BIM 

N/A 

1 

ATC Problem 


76 

BUS. Controller 
CPU, BIM 

NOT OK 

3 

Uncertain Warn. 

- 

77 

488 Bus 

NOT OK 

3 

Critical Fault Phase 


78 

Bubble Memory 

NOT OK 

3 

Probab. <10“® 


79 

Cassette 

NOT OK 

3 

Efficient Bite Probab . <<10“® 


80 

A/C Main 28 VDC Bus 

OK 1) 

4 

Probab . <10“^ 


81 

Avionics 28VDC Bus 

OK 

4 

Probab . <10"^ 



82 

DAAS A-B 28VDC Bus. 

NOT OK 

3 

Probab. <10”^ 


83 

DAAS AC Buses 

NOT OK 

3 

Probab. -10“® 


84 

DAAS 15V DC Bus 

NOT OK 

3 

Probab. -10“^ 

-- 

85 

DAAS 12 DC Bus 

NOT OK 

3 

Probab . <<10” ® 


86 

DAAS 5 DC Bus 

NOT OK 

3 

Probab. -10”^ 

- 

1) CESSNA 402B electrical power system with DAAS installed 


assumed to meet applicable 

Far requirements. 
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• Bubble Memory and Cassette 

• The Electrical Power Buses 

The 23.1329(e) conflict was resolved by introducing three hard- 
ware limiters located immediately downstream of the pitch, roll 
and yaw A/D converters in the DAAS hardware. These limiters 
prohibit any kind of DAAS computer failure from commanding servo 
hardover. The limiters reduce any DAAS computer hardover failures 


to . 




• Pitch 

- 60% 

Full 

Scale 

• Roll 

- 30% 

Full 

Scale 

• Yaw 

- 45% 

Full 

Scale 


Appendix B contains the complete Failure Modes and effects 
analyses. Eighty-six failures were defined and categorized 
as follows. 

Category 1 - Failures are negligible to the DAAS pilot; e.g., 
copilot instruments, door switches, etc. 

Category 2 - Failures that cause inconvenience to the DAAS pilot , 
e.g., loss of ADC-380 RMI , a -Sensor, Annunciator 
Panel . 

Category 3 - Failures during busy or critical flight-phases which 
can be demanding to the DAAS pilot, e.g., IDCC key- 
board, engine/status instrument, servos, autopilot 
dump switch, autopilot processor, bus, and electric 
power . 
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Category 4 - Failures that may create a critical situation. The 

two DAAS Category 4 failures a e loss of the Aircraft 
and Avionics 28-Vdc Bus. The probability of occur- 
rence IS very remote. 

Table 2-6 summarizes the number of failures that fall within 
these failure categories. 


Table 2-5. Failure Categorization of 
the DAAS Elements 


Number of DAAS 
Elements 

Failure Category 

1 

2 

3 

4 

22 

36 

26 

2 


—6 

The DAAS Category 4 failures have a very low probability of 10 
They are negligible. 

Autopilot Processor failures are demanding during especially low 
altitude flight phases. The probability of such a failure may be 

_5 

10 for a 4-hour flight . It is vital to the DAAS flight safety 
that the copilot closely monitors the DAAS performance during 
such conditions. 

The DAAS FMEA concludes that , with servo command limiters imple- 
mented as recommended, DAAS flight safety is adequate for the 
demonstration system. 

The DAAS system meets the objectives of the program as well as 
the necessary safety requirements. The conclusions and recommen- 
dations pertaining to the DAAS system are presented in Section 4 
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report. The DAAS design and analysis served as a baseline for 
the Projected Advanced Avionics System (PAAS), which is discussed 
in the following section. 
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SECTION 3 

PROJECTED ADVANCED AVIONICS SYSTEM (PAAS) 


PAAS IS a projected operational version of DAAS. It extrapolates 
the DAAS concept of fault tolerant integrated avionics to a sys- 
tem that could be produced in the mid-1980s. PAAS is designed to 
have super functional reliability. The Autopilot /Navigation mean 
time between loss of function is on the order of 10,000 hours.. 
PAAS can thus provide the dependable pilot relief that is essen- 
tial for effective flight management by using the expanded func- 
tional capabilities provided. 

Following IS a description of PAAS and an analysis of its reli- 
ability, cost, maintainability, and modularity. 

3.1 PAAS SYSTEM DESCRIPTION 

The PAAS system. Figure 3-1, extrapolates the DAAS concept to a 
mid-1980s projected operational avionics configuration. PAAS 
architecture is similar to DAAS; i.e., it is a reconf igurable 
multiprocessor configuration. PAAS extends the DAAS spare pro- 
cessor redundancy concept to cover all essential avionics pro- 
cessors. PAAS employs a fault tolerant sensor configuration, 
dual redundant data busses, and dual autopilot servos. Redun- 
dancy in sensors, data bus, and servos — in addition to fault 
tolerant processing — is required to cause significant impact 
to the avionics functional reliability. 

PAAS is designed as a minimum cost system that will allow con- 
tinued operation of essential avionics functions after any single 
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Figure 3-1, PAAS System Architecture 






failure. Functional reliability of navigation and autopilot are 
emphasized. The PAAS design provides approximately 10,000 flight 
hours of operation between loss of these functions, as compared 
to 200 hours for current systems. 'PAAS includes extensive built- 
in test for high confidence fault detection (and annunciation) 
and fault isolation for efficient maintenance. 

Following IS a description of the PAAS fault tolerant implementa- 
tion of sensors, data bus, computer, displays, servos, power 
supplies, and the redundancy management techniques envisioned for 
the system. 

3.1.1 PAAS Sensor Configuration 

PAAS sensors required for navigation and autopilot functions are 
redundant for fault tolerance. Four skewed laser gyros, and four 
skewed accelerometers are proposed for the projected strap-down 
attitude heading reference system (AHRS). Dual static and differ- 
ential pressure transducers are proposed for air data sensing. 

Dual VOR receivers and single DME are included for NAV inputs. 

Fuel sensors, engine sensors and configuration monitoring sensors 
are nonredundant . 

Following are details on the unique PAAS AHRS and air data sensor 
mechanization . 

3. 1.1.1 PAAS AHRS Mechanization — The AHRS employs strap-down 
skewed laser gyros and skewed accelerometers for fault tolerant 
attitude and rate sensing. 

The laser gyro is a solid-state, precision angular rate sensor 
with a direct digital output. The laser gyro is ideally suited 
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for strap-down system configurations because it eliminates the 
need for gimbals, torque motors or other rotating parts. Instead 
of the rotating mass of a conventional mechanical gyro, the ring 
laser gyro utilizes two beams of laser light counter-rotating in 
a closed path. Laser gyro based inertial navigation and inertial 
reference systems are inherently more reliable and easy to main- 
tain, and they provide the additional benefits of instant on, in- 
sensitivity to acceleration error sources, and low life cycle cost. 

Four gyros and four accelerometers are employed in a skewed con- 
figuration, as shown in Figure 3-2. 

Aircraft body rates (and accelerations) are derived from the sen- 
sor tetrad as indicated. The three body axis rate components 
(and accelerations) can be computed from the sensor signals even 
if one sensor has failed. Fault tolerance is thus provided for 
the three body rates (and accelerations) with only one added 
sensor. 

A faulty sensor can be detected with high confidence by sensor 
comparison monitoring, and the fault can be isolated to one sen- 
sor either automatically, or by pilot selection should the auto- 
matic selection fail as described in paragraph 3.1.7. 

The sensed aircraft rate and acceleration signals are converted 
to digital form in each of the PAAS dual I/O terminals and trans- 
mitted to the PAAS AHRS processor for attitude/heading computa- 
tions. A flux gate signal is also input for long term heading 
reference. The attitude heading signals are used on the elec- 
tronic attitude indicator in the PAAS autopilot and navigation 
functions . 
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Figure 3-2. Skewed Sensor Geometry 
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A general aviation laser gyro AHRS is not currently available, 
but may become feasible. Honeywell is developing a laser gyro 
inertial reference assembly for the Boeing 767. Others are work- 
ing on low cost laser rate sensors using optical fibers. 

3. 1.1.2 PAAS Air Data Sensors — Dual solid state static and 
differential pressure transducers and dual temperature sensors 
are proposed for PAAS to provide fault tolerant inputs for com- 
putation of altitude, altitude rate, indicated airspeed and true 
airspeed. Hone 3 nvell's solid state transducers used in current 
commercial aircraft air data systems are representative of de- 
vices which will likely make the PAAS air data approach feasible 
in general aviation in coming years. 

The Hone 3 nvell pressure sensor converts the applied pressure to a 
usable electrical signal. An N-type silicon diaphragm within the 
sensor contains two P-type resistors diffused in an orthogonal 
pattern on the diaphragm. The orthogonal placement of the resist- 
ors in the diaphragm creates a change in the bulk resistivity of 
the resistors that is a function of diaphragm tangential and 
radial strain. The trangential resistor (R,p) increases resistance 
with strain (applied pressure), while the radial resistor (R„) 
exhibits a corresponding decrease with strain. 

The silicon piezoresistors are, therefore, used as strain gage 
elements . 

The resistive elements have nearly identical temperature coeffi- 
cients of resistance, because they are formed at the same time 
during the processing operations and are adjacent to each other. 
This permits temperature-related errors to be largely self-compen- 
sating due to the sensor resistance-bridge circuit mechanization. 
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Sensed static pressure, differential pressure and temperature are 
converted to digital form and transmitted to the PAAS ADC proces- 
sor for computation of altitude and airspeed signals for use on 
electronic flight instruments, and in PAAS autopilot and naviga- 
tion functions. 

3.1.2 PAAS Data Bus 


The PAAS data bus is dualized for fault tolerance. One bus con- 
troller is located with each I/O terminal. The two busses oper- 
ate continuously to provide dual redundant inputs to detect (and 
annunciate) faults with high confidence. 

DAAS employs the 16-wire IEEE 488 8-bit parallel data bus. A 
high throughput serial data bus, for which LSIC interface compo- 
nents are available, is proposed for PAAS. The serial bus would 
be preferable to minimize aircraft wiring if the PAAS processors 
are packaged separately. 

PAAS data bus throughput requirements have not been established, 
though PAAS data bus loading is clearly higher than DAAS because 
air data, AHRS data, and weather radar display data are added to 
the bus. 

3.1.3 PAAS Computer Architecture 

The PAAS computer employs the spare processor redundancy concept 
developed for DAAS, but extends back-up capability to all essen- 
tial processors. See Figure 3-1. The PAAS spare can take over 
for any failed processor except the DABS processor, the weather 
radar processor, or the IDCC processor. 
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The DABS or weather radar function reliability would not be sig- 
nificantly enhanced by redundant processing because the higher 
failure rate sensors are not redundant. The IDCC back-up is a 
reversion mode on the EHSI display, thus IDCC processor backup 
IS not required. 

The PAAS processors receive their inputs, and supply outputs to 
dual I/O terminals via the dual PAAS data busses. 

3.1.4 PAAS Displays 


Proposed PAAS display configuration is illustrated in Figure 3-3. 
Three-color CRTs are Included. One display normally presents: 

• Attitude/Director Indicator 

• IAS Indicator 

• Altimeter 

• Vertical Speed Indicator 

• Etc. 

The second panel mounted display is a horizontal situation indi- 
cator similar to the DAAS EHSI. A third display would be mounted 
in the pedestal for use as an IDCC. 

The first display could be periodically switched to present the 
EHSI if the second display failed, and vice versa. The second 
display could also be switched to operate as a primitive NAV 
function IDCC if the primary IDCC failed. 

Multifunction controls are provided for each display. The con- 
trols are relabeled when the display function changes. 
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Coiranunication control heads are panel mounted to provide tuning 
capability independent of the PAAS display system. 

3.1.5 PAAS Servo Mechanization 

PAAS servos are dual with clutch arrangements to allow switching 
between servos for continued operation after one servo failure. 
Each servo in a dual pair is driven from one of the dual I/O ter- 
minals. A servo model would be implemented in PAAS software for 
each mechanical servo, and model output would be compared to 
servo output to detect and isolate servo faults. 

3.1.6 PAAS Power Mechanization 

Dual, monitored power supplies are included in PAAS. The power 
references to the essential PAAS components are switched in event 
of a power supply failure. 

3.1.7 PAAS Redundancy Management 

PAAS would include extensive built-in test to detect and isolate 
faults to facilitate automatic reconfiguration. Fault detection 
confidence could exceed 99 percent for dual elements through use 
of simple comparison monitoring. Automatic fault isolation is 
feasible with confidence on the order of 80 to 90 percent for the 
dual sensors, and approaching 100 percent for the dual model- 
comparison-monitored servos. 

PAAS could include capability for manual redundancy management as 
backup to the automatic fault localization/reconfiguration. The 
PAAS data bus could be switched manually from dual operation to 
Channel I or Channel II as indicated in Figure 3-3. Sensor and 
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servos could be manually selected on IDCC pages as shown in 
Figure 3-4. 


3.2 PAAS RELIABILITY ANALYSIS 

PAAS is configured to provide an order of magnitude improvement 
in functional reliability at a reasonable cost with respect to 
conventional architectures. Effectiveness of the PAAS architecture 
is therefore analyzed by comparing PAAS Autopilot and Navigation 
function reliability with respect to a hypothesized "conventional" 
system. The reliability analysis also compares the maintenance 
failure rate of PAAS and the "conventional" system to give some 
indication of PAAS relative life cycle cost. 

The "conventional" system component list, and associated failure 
rates, are compiled in Table 3-1. This system includes current 
devices required to give functional capability similar to that of 
PAAS. Communications, navigation, flight control, performance 
computations, configuration monitoring, and weather radar are in- 
cluded. Where possible, failure rates are King Radio Corporation 
tabulations of actual operational experience. Honeywell Reliabil- 
ity Engineering Group provided generic estimates where operational 
experience was not available. The PAAS computer unit reliability 
prediction is extrapolated from the DAAS hardware mechanizations. 

The "conventional" system maintenance failure rates are summed to 
determine a total failure rate of 1061.5 percent per 1000 hours, 
for a total system mean time between failure of 94 hours. 

The "conventional" system autopilot/navigation functional reli- 
ability was determined by summing failure rates of components 


99 



REDUNDANCY MANAGEMENT PI OF I 


• AHRSINSEL 

> AUTO 
MAN (CH X) 

« AHRS GYRO OFF 

> AUTO 

MAN I6YR0 X) 

• AHRS ACCEL OFF 

> AUTO 

MAN (ACCEL X| 

• NAVINSEL 

> AUTO 

> MAN (CH X) 


ADC IN SEL 

> AUTO 
MAN (CH X) 

PS SEL 

> AUTO 
MAN (CH X) 

IAS SEL 

> AUTO 
MAN (CH X) 


REDUNDANCY MANAGEMENT P2 OF 2 


• RUO SERVO SEL 

> AUTO 
MAN (CH X) 

« AIL SERVO SEL 

> AUTO 
MAN (CH X) 


* EL SERVO SEL 

> AUTO 
MAN (CHX) 

* TR SERVO SEL 

> AUTO 
MAN (CH X) 


REDUNDANCY MANAGEMENT 

PI OF! 

STATUS 


AHRSSEL/CH 

AUTO/1 

AHRS GYRO/ACCEL FAIL 

x/x 

AOC SEL/CH 

AUTO/I 

ADC PS/IAS FAIL 

X/X 

NAV SEL/CH 

MAN/I 

NAV FAIL 

2 


Figure 3-4. PAAS Manual Redundancy Management 
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Table 3-1. Reliability Estimate for a Conventional 
System 


— 

DEVICE 

FAILURE 

Ri\TE 

(t/1000 HRS) 

QUANTITY 

MAINTENANCE 
FAILURE RATE 
CONTRIBUTION 
(X/1000 HRS) 

AUTO PILOT/NAV 
FUNCTION FAIIURE 
BATE CONTRIBUTION 
(%/lOOO HRS) 

COMMENT 

HAV/FLT CONTROL SLNSORS/INSTRUMENTS 






Yaw Rate Gyro 

5 

1 

5 

5 


Magnetic Transmitter (KMT 112) 

2 

1 

2 

0 

Manual slaving assumed if failed 

Directional Gyro (KSC 105) 

33 

1 

33 

33 


Sla/e Control (KA 51A) 

1 

1 

1 

1 


Vertical Gyro (VG 208) 

33 

1 

33 

33 


Pitoc System, Left 

5 

1 

5 

5 


Pitot System, Right 

5 

1 

5 

5 


Encoding Altimeter (IDC 571) 

20 

1 

20 

20 


Air Data Conputer (KDT 380) 

20 

1 

20 

20 


VOR Receiver (KN 53) 

25 

2 

50 

2 5 


DM' Receiver (KN 62A) 

50 

1 

SO 

- 


Angle of Attack Sensor, Ind 

10 

1 

10 

- 


Turn and Bank Indicator 

15 

1 

15 

15 


a\T Sensor 

1 

1 

1, 

- 





26C 

141 5 


CONTROLS AND DIS^^LAYS 






Autopilot Mode Controller (KMC 340) 

34 

1 

34 

34 


Autopilot Annunciator Panel (KAP 315) 

3 

1 

3 

3 


ADI (KCI 310) 

20 

1 

20 

0 

Artificial hurizon backup, degraded perfoninnce 

Hoi (KPl 553) 

20 

1 

20 

0 

RMI backup, degraded performance 

RMI (K1 226) 

33 

1 

33 

0 

HSI backup 

Audio Control Panel (KMA 24) 

20 

1 

• 2<. 

- 


Failure Annunciator Pant.1 

3 

1 

3 

- 


Airspeed Ind i cat or 

28 

1 

28 

28 


ArtifiLial Hurizon (KG 253) 

67 

1 


0 





228 

65 


COMPUTER. LIECTRONICS 






Autopilot Compute r (lG\r 32 5) 

55 

1 

55 

55 


Flight Computer (kCP 320) 

85 

1 

85 

85 


RNAV System (kNC 665) 

90 

1 

90 

90 


VNAV Cffiiputcr (KVN 395) 

45 

1 

45 

45 


Performance Computer 

20 

1 

20. 

- 





295 

27n 
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Table 3-1. Reliability Estimate for a Conventional System (Sheet 2 of 2) 





MAINTENANCE 

AUTO PILOr/NAV 



FAILURE 


FAILURE RATE 

FUNCTION FAILURE 



W\TE 


CONTRIBUTION 

RATE CONTRIBUTION 


UtVICL 

(Z/IOOO HRS 

QUANTITY 

(^/1000 HRS) 

(X/1000 HRS) 

COHMEN'T 

S^K70 ArTUAfOPj 

7 

1 

7 

7 


Pitch Servo 

7 

1 

7 

7 


Roll Servo 

7 

1 

7 

7 


Yaw Servo 

7 

1 

7 

7 


PiLcIi Trim Servo 

5 

1 

5 

5 





26 

26 


M0»Y1.T0HI1^ 






MAP Senior 

0 5 

2 

1 

- 

Not required for Autopilot, NAV function 

RPM Senaor 

1 

2 

2 

- 


Cowl Flap Position 

5 

1 

5 

- 


Flap Position 

2 

1 

2 

- 


elevator Trim Postlon 

2 

1 

2 

- 


Radar Altimeter 

50 

1 

50 

- 





57 5 

0 


Uti^iilEK RADAR 






Transtnitter/Recc 1 ver 

50 

1 

50 

- 

Not required foi Aucopilo , NAV funetion 

Display Unit 

5 

1 


- 





55 

0 


COWUJNICATIONS 






Convii Transceivers (KY l9o) 

33 

2 

66 

- 

Not required for Autopilot, NAV funetion 

DABS 1 ransponder 

40 

1 

40 

- 


DABS Control /Display 

30 

1 

30 

- 





136 

0 


LILCIRICAI POWi R SYsTcM 






A/C i?8VD.^ Bus, Aircraft Battery 

01 

1 

NOT INCLUDED 

01 


DL/AC Invertor 

1 

1 

1 

1 


DC /DC Converter 

3 

1 

3 

3j 





4 0 

4 01 




TOTAL 1056 5 

- 6 51 




MTDF » 94 6 HRS 

201 HRS 


t 















required to provide these functions. Failure contribution of 
dual VOR receivers was considered negligible. The total conven- 
tional system autopilot/navigation function failure rate, assum- 
ing a 1-hour mission, is 496.5 percent per 1000 hours for a mean 
time between loss of function of 201 hours. 

Corresponding PAAS maintenance reliability and autopilot /naviga- 
tion function reliability are compiled in Table 3-2. PAAS main- 
tenance reliability is 50 percent better than the conventional, 
system because: 

• High reliability digital electronics employed 

• High reliability solid state sensor technology employed 

• Electronic displays replace conventional instruments 

• PAAS integrated avionics architecture eliminates hardware 

PAAS autopilot/navigation function reliability is improved by a 
factor of 50 with respect to the "conventional" system, primarily 
due to the fault tolerant PAAS architecture. A PAAS gyro, accel- 
erometer or air data sensor failure can be tolerated without loss 
of a function. A PAAS processor failure, a power supply failure, 
and a servo failure can be tolerated without loss of function. 

This PAAS fault tolerance is accomplished with the minimum of 
redundant hardware, as described in section 3.1. 

PAAS would suffer gross loss of function for certain failure com- 
binations. For example, the PAAS configuration would be totally 
incapacitated by two like bus controller failures. The probabil- 
ity of such failures occurring during a 1-hour flight is extremely 
low, however; for example: 
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Table 3-2. Reliability Estimate for PAAS 


DEVICE 

FAILURE 

RATE 

(VlOOO HRS) 

QUANTITY 

MAINTENANCE 
FAILURE RATE 
CONTRIBUTION 
(X/IOOO HRS) 

AUTO PILOT /NAV 
FUNCTION FAILURE 
RATE CONTRIBUTION 
(Z/1000 HRS) 

COMMENT 

NAV/FLT CONTROL SENSORS 






Magenetic Transraitter (KMT 112) 

2 

1 

2 

0 

Manual periodic heading alignment required 
if KITT 112 fails 

Laser Gyro, Interface Electronics 

5 

4 

20 

2 

90X fault isolation capability assumec 

Accelerometer, Interface Electronics 

5 

4 

20 

2 

901 fault isolation capability assumed 

Pitot System, Left 

5 

1 

5 

5 

901 fault isolation capability assumed 

Pitot System, Right 

5 

1 

5 

5 

901 fault Isolation capability assumed 

Static Pressure Transducer 

5 

2 

10 

L 

901 fault isolation capability assmr.ed 

Differential Pressure Transducer 

5 

2 

10 

1 

901 fault isolation capability assumed 

VOR Receiver (KN 33) 

25 

2 

50 

0 

Manual switching if required 

DME Receiver (KN 62A) 

50 

1 

50 

- 


Angle of Attack Sensor 

5 

1 

5 

- 


OAT Sensor 

CONTROLS AND DISPLAYS 

2 

1 

2. 

179 

.1 
7 1 

907. fault isolation capability assumed 

Autopilot Mode Controller (KMC 340) 

34 

1 

34 

0 

IDCC page for backup 

EADI Display, Controls 

35 

1 

35 

0 

Manual switching of displays 

EHSI Display, Controls 

35 

1 

35 

0 

Manual switching of displays 

IDCC, Display, Controls 

35 

1 

139 

fi 

0 

Basic NAV page available on EHSI displays 

COMPUTER. ELECTRONICS 





Processor (8086, Memory) 

6 

11 

66 

1 8 

Autopilot, NAV, ADC, AHRS, RAU, Bus Controller 
processors only 957 fault isolation 
capabl 1 t iy as summed 

A/D, D/A, MUX 

6 

2 

12 

6 

951 fault issolation capability as summed 

Bubble Memory System 
SLR VO ACTUATORS 

50 

1 

50. 

128 

0 

2 4 

Not required unless another failure occurs 

Pitch Servo 

7 

2 

14 

0 

Servo-model comparison monitoring for 
fault isolation 

Roll Servo 

7 

2 

14 

0 

Servo-model comparison monitoring for 
fault isolation 

Your Servo 

7 

2 

14 

0 

Servo-model comparison monitoring for 
fault isolation 

Pitch Trim Servo 

5 

2 

10 

TT 

0 

0 

Servo-model comparison monitoring for 
fault isolation 


1 



















Table 3-2 


Reliability Estimate for PAAS (Sheet 2 of 2) 





MAINTENANCE 

AUTO PILOT/NAV 



failure 


FAILURE RATE 

FUNCTION FAILURE 



RATE 


CONTRIBUTION 

RATE CONTRIBUTION 


DEVICE 

(;i/10D0 HRS) 

QUANTITY 

(%/l000 HRS) 

(X/1000 HRS) 

COMMET 

MONITOR SENSORS 






H\P 

0 5 

2 

1 

- 

Not required for Autopilot., NAV function 

RFM 

1 

2 

2 

- 


Cowl Flap Position 

5 

1 

5 

- 


Flap Puslcion 

2 

1 

2 

- 


Lle/ator Trim Postilon 

2 

1 

2 

- 


Radar Altimeter (RT 221) 

50 

1 

50^ 

- 





57 5 

0 


Vn ATllER RADAR 






Tran^m tter/ReccUer 

50 

1 


- 

Not required for Autopilot, NAV function 




50 

0 


rO'llINt^T^V _ 






Co.imj Trn seel vers (KY 196) 

33 

2 

66 

- 


Transpn«J*.r 

40 

1 

±L. 

- 





106 

3 


Pi ni V ) / " , ->r M 






A'( 28V> Hu , Urcra t ery 

01 

1 

NOT INCLUDED 

01 

Pilot disenj^a, 1 ID nl a bi iv as iim ' 

PAAS Battery 

10 

1 

10 

0 

PAAS ’eslgn must operate without battery 

Laser Gyro Power Supply 

1 

1 

1 

L 


DT/DC Converter 

3 

2 

6. 

. 3 

95% fault isolation capability assumed 




17 

1 31 



TOTAL 728 5 

10 8 




KTBF - 137 HRS 

9260 HRS 









Dual Failure Probability = (^BC ” 1 x 10~® 
where : 

Age “ controller failure rate = 10%/ 1000 hours 
t = time = 1 hour 

The two-failure probability is similar to the order of magnitude 
of Military aircraft fly-by-wire flight control catastrophic 
failure rate. 

3.3 PAAS COST ANALYSIS 

PAAS and "conventional" system cost estimates, compiled in Tables 
3-3 and 3-4, indicate that the PAAS costs are similar to those 
for a conventional system. 

The cost figures used in the analysis were current King Radio 
catalog prices where available, or rough estimates based on simi- 
larity where catalog prices were not available. The PAAS com- 
puter cost estimate is an approximation extrapolated from the 
DAAS hardware mechanization. No estimate is available for the 
PAAS laser gyro AHRS, so a cost number corresponding to an electro- 
mechanical device was used. Conclusions are not affected even if 
this number is significantly increased. 

PAAS thus provides dramatic improvements in functional reliability 
without significantly increasing system costs. PAAS total costs 
are contained because PAAS is integrated and does not require 
dedicated controls and displays for its functions. 
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Table 3-3. Cost Estimate for a Conventional System 


Device 

Quantity 

Estimated 

Cost 

(Dollars) 

Basis For 
Estimate 

NAV/FLT Control Sensors 




Yaw Rate Gyro 

1 

1,200 

Catalog 

Magnetic Transmitter (KMT 112) 

1 

205 

Catalog 

Directional Gyro (KSG 105) 

1 

2,495 

Catalog 

Slave Control (KA 51A) 

1 

60 

Catalog 

Vertical Gyro (VG 208) 

1 

4,303 

Catalog 

Pitot System, Left 

1 



Pitot System Right 

1 



Encoding Altimeter ( IDC 571) 

1 

4,629 

Catalog 

Air Data Computer (KDC 380) 

1 

1,785 

Catalog 

VOR Receiver (KN 53) 

2 

3,730 

Catalog 

DME Receiver (KN 62A) 

1 

3,225 

Catalog 

Angle of Attack Sensor, Ind. 

1 

2,566 

Catalog 

Turn and Bank 

1 

700 

Catalog 

OAT Sensor 

1 

100 

Estimate Only 

Subtotal 


24,998 


Controls and Displays 




Autopilot Mode Controller 

1 

885 

Catalog 

(KMC 340) 




Autopilot Annunciator Panel 

1 

520 

Catalog 

(KAP 315) 




ADI (KCI 310) 

1 

5,610 

Catalog 

HSI (KPI 553) 

1 

7,200 

Catalog 

RMI (KI 226) 

1 

2,205 

Catalog 

Audio Control Panel (KMA 24) 

1 

675 

Catalog 

Airspeed Indicator 

1 

170 

Catalog 

Artificial Horizon (KG 253) 

1 

1,250 

Catalog 

Subtotal 


18,515 


Computer, Electronics 




Autopilot Computer (KAC 325) 

1 

3,035 

Catalog 

Flight Computer (KCP 320) 

1 

4,465 

Catalog 

RNAV System (KNC 665) 

1 

5,985 

Catalog 

VNAV Computer (KVN 395) 

1 

3,305 

Catalog 

Performance Computer 

1 

14,200 

Catalog 

Subtotal 


30,990 
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Table 3-3. Cost Estimate for a Conventional System (Sheet 2 of 2) 


Device 

Quantity 

Estimated 

Cost 

(Dollars) 

Basis For 
Estimate 

Servo Actuators 




Pitch Servo 

1 

2,140 

Catalog 

Roll Servo 

1 

2,140 

Catalog 

Yaw Servo 

1 

2,140 

Catalog 

Pitch Trim Servo 

1 

1.665 

Catalog 

Subtotal 


8,085 


Monitoring 




Failure Annunciator 

1 

75 

Estimate Only 

MAP Sensor 

2 

200 

Estimate Only 

RPM Sensor 

2 

1,200 

Estimate Only 

Cowl Flap Position 

1 

100 

Estimate Only 

Flap Position 

1 

100 

Estimate Only 

Elevator Trim Position 

1 

100 

Estimate Only 

Radar Altimeter 

1 

2,350 

Catalog 

Subtotal 


4,125 


Weather Radar 




Transmit ter /Receiver 

1 

13,000 

Split Estimate 

Display Unit 

1 

7,000 


Subtotal 


20,000 


Communications 




Comm Tranceivers (KY 196) 

2 

3,510 

Catalog 

DABS Transponder 

1 1 

2,000 

Estimate Only 

DABS Control/Display 

' 1 

4,000 

Estimate Only 

Subtotal 


9,510 


TOTAL 


$116,223 
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Table 3-4. Cost Estimate for PAAS 


Device 

Quantity 

Estimated 

Cost 

(Dollars ) 

Basis For 
Estimate 

NAV/FLT Control Sensors 




Magnetic Transmitters 

1 

205 

Catalog 

(KMT 112) 

Laser Gyro , Interface 


8,000 

Estimated of 

Electronics 



basis of cost 

Accelerometer, Interface 



of electromechan- ^ 

Electronics 



ical replacement 

Pitot System, Left 
Pitot System, Right 
Static Pressure Transducer 

2 

800 

Estimate Only 

Differential Pressure 

2 

800 

Estimate Only 

VOR Receiver (KN 53) 

2 

3,730 

Catalog 

DME Receiver (KN 62A) 

1 

3,225 

Catalog 

Angle-of-Attack Sensor 

1 

828 

Catalog 

OAT Sensor 

1 

100 

Catalog 

Subtotal 


17,688 


Controls and Displays 




Autopilot Mode Controller 

1 

885 

Catalog 

(KMC 340) 

EADI Display, Controls 

1 

7,000 

Estimate Only 

EHSI Display, Controls 

1 

7,000 

Estimate Only 

IDCC, Display, Controls 

1 

8,000 

Estimate Only 

Subtotal 


22,885 


Computer, Electronics 




Processor ( 8086 , Memory ) 

11 

9,600 

Estimate Only 

Power Supply and Misc. 


6,000 

Estimate Only 

A/D, D/A, MIX 

2 

2,000 

Estimate Only 

Bubble Memory System 

1 

2,000 

Estimate Only 

Subtotal 


19,600 


Servo Actuators 




Pitch Servo 

2 

4,280 

Catalog 

Roll Servo 

2 

4,280 

Catalog 

Your Servo 

2 

4,280 

Catalog 

Pitch Trim Servo 

2 

3,330 

Catalog 

Subtotal 


16,170 
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Table 3-4. Cost Estimate for PAAS (Sheet 2 of 2) 


Device 

Quantity 

Estimated 

Cost 

(Dollars) 

Basis For 
Estimate 

Monitor Sensors 



' 

MAP 

2 

200 

Estimate Only 

RPM 

2 

1,200 

Estimate Only 

Cowl Flap Position 

1 

100 

Estimate Only 

Flap Position 

1 

100 

Estimate Only 

Elevator Trim Position 

1 

100 

Estimate Only 

Radar Altimeter (RT 221) 

1 

2,350 

Catalog 

Subtotal 


4,050 


Weather Radar 




Transmitter/ Receiver 


13,000 

Transceiver/ display 




Split Estimate 

Subtotal 


13,000 


Communications 




Comm Transceivers (KY 196) 

2 

3,510 

Catalog 

DABS Transponder 

1 

2,000 

Estimate Only 

Subtotal 


5,510 


TOTAL 


$98,903 
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3.4 PAAS MAINTAINABILITY ANALYSIS 


The projected advanced Avionics System (PAAS) maintenance test 
concept IS depicted in Figure 3-5. Highly effective avionics 
built-in test (BIT) is anticipated. On-aircraft functional test- 
ing and fault localization to a module within an LRU are expected 
to be feasible with minimal test equipment. The fixed base oper- 
ator could exploit the BIT capability and minimize his special 
purpose test equipment and become more a storehouse of replace- 
able modules. The avionics should include capability for on- 
aircraft trouble shooting by the fixed base operator. Faulty 
modules could be repaired at the factory. 

BIT design objectives consistent with the above maintenance phil- 
osophy are • 

• Minimize fixed base operator test capability requirements 

• Maximize BIT fault localization capability 

Of course, the resulting BIT mechanization must not significantly 
increase avionics cost. 

DAAS BIT modes include: 

• In-flight test 

• Functional test/fault localization - automatic 

• Functional test/fault localization - interactive 

• Maintenance trouble shooting 

In-flight -test is continuous and will generate a warning when a 
detected failure will disable a system function. The DAAS will 
automatically reconfigure for computer unit processor failures. 


Ill 
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ON AIRCRAFT MAINTENANCE 



• FUNCTIONAL TESTING - 95% CONFIDENCE 

• FAULT LOCALIZATION TO LRU - 90% CONFIDENCE 

• FAULT LOCALIZATION TO REPLACEABLE MODULE - 
10 -90% CONFIDENCE 

• TESTING, TROUBLESHOOTING VIA lOCC 



FIXED BASE OPERATOR 

• ON AIRCRAFT MAINTENANCE 

• LIMITED GENERAL PURPOSE TEST EQUIPMENT 

• REPLACEABLE MODULE STOCK 

• IRU STOCK (LIMITED RENTAL UNITS) 



DEPOT/FACTORY 

• MODULE, LRU ATE 

• STANDARD LRU ATE BUS INTERFACE 

• MODULE, LRU REPAIR 

• SPARE PARTS STOCK 


Figure 3-5. PAAS Maintenance Concept 





In-flight failures that are detected by BIT will cause the amber 
warning light to flash. A message will be displayed on the IDCC 
on the line reserved for warning messages. The message will be, 
"Device Failure" followed by identification of the failed device. 
(Vertical Gyro, Compass, etc.). 

Functional Test /Fault Localization, Automatic, is performed at 
power-up, or when commanded by the operator, and tests system 
components as feasible without operator interaction. This test 
function exercises DAAS equipment and identifies failed LRUs as 
well as failed modules within the LRU as feasible. 

Functional Test/Fault Localization, Interactive, is performed on 
command and allows testing of devices where operator actions or 
observations are necessary to complete a test. IDCC and EHSI 
test pattern tests are included in DAAS as examples of avionics 
interactive testing. 

Maintenance trouble shooting allows the operator to apply signals 
and measure signals via IDCC. Memory words can be displayed. 
Analog and discrete signals can be applied at computer outputs, 
and various system analog and discrete signals can be measured 
and displayed. 

Fault localization and replacement of a faulty avionics line re- 
placeable unit can be accomplished in mean time of 15 minutes 
with the level of BIT envisioned for PAAS. Repair of a faulty 
unit, i.e., fault localization and replacement of a faulty part, 
can be accomplished in mean time of 1 hour. 

PAAS packaging must be designed to allow operator removal of 
hardware modules and continued operation with only partial loss 
of function. 
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3.5 PAAS MODULARITY ANALYSIS 


PAAS is designed to be modular. The system is constructed of 
building blocks that can be configured to provide varying levels 
of functional capability depending on user requirements. The 
design IS intended to facilitate addition of functions without 
major upheaval to the existing aircraft control panel or existing 
avionics. 

Modularity is achieved through: 

• System architecture 

• Controls and displays modularity 

• Hardware modularity 

• Software modularity. 

Basic system architecture, i.e., multimicroprocessors inter- 
connected via data bus, supports modularity. Functions can be 
added by adding appropriate process or modules, and the process- 
ing can interface to the system through the data bus. 

PAAS employs programmable controls and displays that can be re- 
configured for various functional complements. The IDCC includes 
basic mechanical controls (keyboard page callup buttons, etc.) 
and a programmable display. The basic display module is the dis- 
play page. The page can be used as a function control panel or 
for required data and information input /output . The EHSI and 
EADI are displays that can be programmed for the set of functions 
included in a particular PAAS installation. 

PAAS hardware is modular. Standard modules can be added to pro- 
vide computing power, memory, or I/O required for added functions. 
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PAAS software is structured and modular. Each of the hardware 
modules are programmed with Independent software modules that 
require minimum interfaces with other functions. These software 
modules are developed using structured design techniques. The 
system modularity has been demonstrated by addition of the DABS 
function. 

The integration of DABS into DAAS late in the DAAS development 
program demonstrates basic modularity. Incorporation of DABS 
required — 

• Installing a DABS transponder in the aircraft, and interfac- 
ing it to the DAAS computer unit. 

• Adding a DABS processor module, including software, and two 
DABS interface electronics modules to the DAAS computer unit. 

• Adding three DABS pages to the IDCC. 

• Adding a DABS "Message Pending" light to the panel. 

The DAAS processor module is appropriate for DABS computations. 
DAAS keyboard and IDCC page formats are appropriate for DABS. 
Consequently, DABS readily fit into the DAAS framework. PAAS 
modularity is further assessed in the following paragraphs. 

3.5.1 PAAS System Modularity 

PAAS system modularity is demonstrated in Figure 3-6. The vari- 
ous levels of functional capability are depicted. The core PAAS 
functional entity is the autopilot. 

The autopilot processor and a basic I/O terminal are required for 
this function. 


115 




SERVO SET 2 
OTHER 




PAAS FUNCTIONAL LEVELS 
I I 1 AUTOPILOT 



2 AIR DATA FUNCTION 

3 AHRS ADI FUNCTIONS 



NAV. EHSI. IDCC FUNCTIONS 


ills DABS 




6 WEATHER RADAR 


7 FAULT TOLERANT CAPABILITY 






Figure 3-6. PAAS Modularity 











A second version of PAAS could include the autopilot and the 
air data functions. In this version, the air data function would 
only supply references for the autopilot. Altimeter and IAS data 
sources would be independent . 

A third version of PAAS could have autopilot, air data, AHRS, and 
the electronic ADI that includes the altimeter, IAS and VSI dis- 
plays. 

A fourth version could also include the NAV, EHSI and IDCC 
functions. 

A fifth version could have DABS added, and a sixth version could 
include weather radar data superimposed on the EHSI. 

A seventh version could include the necessary redundant hardware 
for fault tolerant operation. 

Each version of PAAS would be complimented by systems necessary 
for desired functional capability and backup. A particular ver- 
sion of PAAS could include spare room to allow incorporation of 
some additional capability: either the defined next higher level, 

or a yet-to-be-defined advanced capability. 

3.5.2 PAAS Controls and Displays Modularity 

The ideal controls and display configurations from a modularity 
standpoint, would include only general purpose controls. No con- 
trols dedicated to a specific function would be allowed in order 
to minimize impact on panel hardware when a function was added. 

In an idealized PAAS configuration, controls would include a 
general purpose keyboard, and one IDCC page callup button for 
each function. 
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DAAS has deviated from this ideal in certain respects 

• Various dedicated NAV function controls are implemented 
above the IDCC, included with page call-up buttons; i.e., 

USE, CRS, SEL, LAT DIR TO, AUTO CRS SEQ. 

• Dedicated map control buttons are implemented next to the 
IDCC; i.e., HDG/NOR, MAP/CRSR, MAP RTN, WP BRG, REVU, MAP 
SCALE . 

• Dedicated autopilot mode controller, annunciator panel. 

• Other function controls 

These dedicated function controls were implemented to maximize 
their accessibility. 

Dedicated NAV function controls could be avoided if these controls 
were instead implemented in IDCC pages. The penalty for elimina- 
tion of dedicated NAV function buttons is as follows: 

• One additional button push required to activate LAT DIR TO. 

• One additional button push required to change waypoint data 
access from linked waypoint, to unlinked waypoint. 

The advantage of this approach, in addition to improved modularity, 
IS elimination of dedicated NAV function buttons above the IDCC, 
which leaves only page call-up buttons there. This eases system 
comprehension . 

Current dedicated map control buttons do not significantly degrade 
modularity. They can be an integral part of the EHSI assembly. 
Spare control buttons should be included, however, for additional 
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functions which use the EHSI, which will also have dedicated con- 
trols, e.g., weather radar. 

The PAAS Autopilot mode controller is a dedicated panel. Acces- 
sibility to the safety critical mode controller seems to preclude 
its incorporation into multifunction control facilities such as 
the IDCC. The autopilot mode annunciator panel would likely be 
incorporated into the EADI if EADI were included in PAAS. 

3.5.3 PAAS Hardware Modularity 

The existing DAAS hardware is modular. The basic hardware build- 
ing block is the processor board, Figure 3-7. This 6.25 by 6.25 
inch printed circuit board includes 

• INTEL 8086 16-bit microprocessor 

• 2K X 16 PROM Memory 

• 4K X 16 RAM Memory 

• Crystal clock 

• IEEE 488 bus talker/listener/controller 

• Interrupt controller 

If more than 4K x 16 memory is required for a particular PAAS 
processor, a supplemental 6.25 by 6.25 inch memory board is used. 
This memory board can contain up to 12K x 16 additional RAM 
memory. Other hardware modules that could be employed in a PAAS 
system include. 

• EADI, EHSI display refresh memory module 

• Bubble memory module 

• Analog/Discrete I/O modules 
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DAAS Processor Module 


PAAS would employ a higher level of circuit integration than the 
existing DAAS system. Custom VLSIC would be economical for PAAS 
for the basic hardware modules. Exploiting modularity of a pro- 
duction version of PAAS requires the following hardware design 
considerat ions 

• The PAAS computer box must have sufficient room and external 
connector pin capacity to support eventual growth. 

• Power supply - The PAAS power supply must have reserve capac- 
ity to support eventual system growth or else the power sup- 
ply must be changed as functions are added. 

• Data bus throughput - The PAAS data bus must have sufficient 
throughput margin to support eventual system growth. The 
current system IEEE 488 bus is only 30 percent loaded, which 
IS consistent with this requirement. The PAAS data bus 
would require higher throughput to accommodate the AHRS and 
weather radar functions. 

3.5.4 PAAS Software Modularity 

PAAS software must be modular. Functions are implemented in 
software modules; i.e., independent programs with single entry 
and exit, separate data locations and clearly defined and con- 
trolled Interfaces. Data bus communications are managed in an 
orderly fashion by the bus control processor, with growth in mind. 
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SECTION 4 

CONCLUSIONS AND RECOMMENDATIONS 


The DAAS system design is completed, and flight hardware built. 
Simulator evaluations have been performed. The PAAS configura- 
tion has been defined and analyzed on the basis of cost, reliabil- 
ity, maintainability, and modularity. The following conclusions 
and recommendations are based on the experience associated with 
this effort to date. 

• Functional Configuration - DAAS provides expanded functional 
capability with respect to currently available avionics and 
has the potential to significantly improve single pilot IFR 
safety and efficiency. The DAAS architecture provides the 
framework for additional expansion without the requirement 
for added displays. This is accomplished by using the shared 
data base, displays and bus. The distributed architecture 

of the system provides for functional independence. This 
minimizes the number of needed interfaces between functions 
and thereby reduces data input and subsequent pilot training. 

• Function Set - The DAAS function set is comprehensive and 
suitable for demonstration. Operational simplification and 
functional additions have been suggested that may be appro- 
priate for an operational system. 

• Cost - The DAAS concept is cost effective, and has cost ad- 
vantages with respect to conventional avionics as the number 
of integrated functions increase. 
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• Reliability - The DAAS system architecture reduces computer 
system failure rate to a negligible portion of the total 
system failure rate. Sensor and servo failure rates dominate. 
Low cost sensor and servo redundancy should be pursued with 

a goal of 10,000 hours in-flight MTBF for autopilot and basic 
navigation functions to provide extremely reliable pilot re- 
lief to facilitate effective flight management. The PAAS 
configuration promises much higher functional reliability. 

• Maintainability - DAAS offers improvements in avionics main- 
tainability through improved reliability, automatic fault 
detection and isolation, and on-aircraft trouble shooting 
without special test equipment. 

• Modularity - DAAS is functionally modular, with general pur- 
pose controls and displays, and hardware and software build- 
ing blocks to provide varying levels of capability. Expan- 
sion of capability has minimum impact on the existing aircraft 
control panel and existing avionics. 

Following is an expansion of these conclusions and recommendations. 


4.1 FUNCTIONAL CAPABILITY 

The DAAS system provides comprehensive facilities for flight 
management. Concensus of evaluations is that DAAS provides im- 
proved functional capabilities with respect to current avionics, 
and has the potential to significantly improve single pilot IFR 
efficiency and safety. Checklists, weight and balance, and per- 
formance functions are convenient to use, and they support good 
pilot practices. The moving map display, IDCC data readout, and 


123 



comprehensive warning system inform the pilot of flight status. 

The autopilot, which couples to the NAV system, provides the 
necessary relief that allows the pilot to monitor and effectively 
manage his flight. 

The DAAS moving map display is well received and considered a 
major aid in flight management. However, the following enhance- 
ments have been suggested. 

• Terminal area display should be expanded to include stored 
approach plate details. Automated terminal area flight 
management including coupled NAV and autothrottle functions 
should be considered. 

• It would be desirable to accurately display the runway during 
landing approach. This could, perhaps, be feasible if 1) a 
strapdown AHRS with short term INS capability were a part of 
DAAS, or 2) MLS were included, or 3) GPS were included, or 

4) ILS/DME navigation mode were included. 

• A color map display would be useful to facilitate increased 
display information content. 

• Expansion of DABS to aid in congested terminal area communi- 
cations would be desirable. 

• Incorporation of an EADI into DAAS would be an appropriate 
follow-on effort to further develop the concept. 

The DAAS function set is considered representative and adequate 
for demonstration purposes. There are areas where changes might 
be considered for an operational system. For example, DAAS com- 
plexity must be controlled and pilot/system interface must be 
efficient to maximize pilot access to DAAS functions. 
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DAAS controls and displays have been generally accepted by 
evaluators, including the alphanumeric keyboard. The system 
simulator IDCC touchpoint mechanization was found objectionable 
because : 

• No tactile feedback to indicate signal initiation. 

• Smudges on CRT face obscured image. 

• Inadvertent data entries possible if touchpoints are not 
accurately touched. 

An alternate approach using bezel-mounted buttons has been added. 

The DAAS Kalman filter blending of VOR/DME data with dead reconing 
position IS expected to improve navigation, precision and stabil- 
ity. The addition of DME/DME integration into the DAAS algorithms 
seems like an appropriate follow-on. Integration of an IRS to 
augment the blender position should also be considered. 


4.2 COST 

DAAS includes significantly more functional capability at a cost 
competitive with conventional avionics, as illustrated in section 
3.3. The DAAS cost advantage will become more decisive as more 
functions are incorporated. For example, DAAS could be expanded 
to integrate . 

• Weather radar 

• Air data computer 

• Autothrottle 

• Automatic storage of airport facility data 
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• AHRS 


• Radar altimeter 

• Other functions 

Therefore, with each function added total system cost per func- 
tion would come down since packaging power supplies, and controls 
and displays are shared in DAAS and need not be duplicated for 
separate functions. 

Consequently, the DAAS concept of integrated avionics is cost 
effective. 


4.3 RELIABILITY, SAFETY 

The PAAS system reliability, including sensors, instruments, 
computers, and servos is estimated to be 137 hours MTBF. This 
system reliability is expected to improve as integrated circuit 
technology advances, and electromechanical devices are replaced 
by solid state devices. 

The existing DAAS NAV/Autopilot function reliability is estimated 
to be 9260 hours mean flight time between loss of function. 

The DAAS architecture, using advanced electronics, has produced 
a very reliable computer system. Consequently, DAAS reliability 
was affected mainly by sensor and servo failure rates, e.g., 
system sensors and servos contribute 96 percent of the autopilot 
failure rate. Since the autopilot and NAV functions are essen- 
tial to effective flight management, it is recommended that low 
cost redundant sensor and servo configurations be pursued, with 


126 



a goal of 10,000 hour NAV/autopilot flight MTBF. The DAAS 
architecture can cost effectively provide such reliability. 

The failure mode effects analysis of 86 DAAS elements concludes 
that, with recommended modifications implemented, DAAS failures 
are tolerable and safe. The DAAS safety pilot's contribution to 
flight safety is also acknowledged, especially in take-off and 
landing situations. 


4.4 MAINTAINABILITY 

DAAS concept offers improved maintainability through: 

• Improvements in hardware reliability 

• Built-in test for automatic fault detection, localization 

• Capability for on-aircraft trouble shooting without special 
test equipment. 


4 . 5 MODULARITY 

The DAAS system is functionally modular. It is composed of hard- 
ware and software building blocks that can be configured to pro- 
vide varying levels of functional capability and cost. Expansion 
of capability will have minimum impact on the existing DAAS air- 
craft control panel and avionics. 

The DAAS system can be adapted to interface with devices from a 
variety of manufacturers. For example, hardware and software 
modules could be developed to allow use of different NAV receivers. 
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even if the NAV receivers were not equipped for remote tuning. 
Manual tuning would be required in this version of DAAS, on com- 
mand from the IDCC. The system can also accept input signals 
from sensors supplied by a variety of manufacturers. The variety 
of subsystems with which a production version of DAAS would be 
compatible would be determined in a marketing study. 

DABS integration into DAAS late in the DAAS development program 
demonstrates basic modularity. Incorporation of DABS required; 

• Installing a DABS transponder and control panel in the air- 
craft, and interfacing it to the DAAS computer unit. 

• Adding a DABS processor module, and two DABS interface elec- 
tronics modules to the DAAS computer. 

• Adding three DABS pages to the IDCC. 

• Adding a DABS "Message Pending" light to the panel. 

The DAAS processor module is appropriate for DABS computations. 
DAAS keyboard and IDCC page formats are appropriate for DABS. 

DABS readily fit into the DAAS framework, thereby demonstrating 
that DAAS is a highly modular system. 
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GLOSSARY 


ADI - altitude direction indicator 
AHRS - Altitude Heading Reference System 
ALT - altitude, altitude hold 
ARM - arm 

ATC - Air Traffic Control (National) 

BIT - built-in test 

CC - central computer 

ecu - central computer unit 

COM - communication 

COMM - communication message 

CPU - central computer unit 

DAAS - Demonstration Advanced Avionics System 

DABS - Discrete Address Beacon System 

DME - distance measuring equipment 

EHSI - electronic horizontal situation indicator 

ELM - extended length message 

EPROM - electrically alterable PROM 

ETA - estimated time of arrival 

FAR - federal aviation regulation 

FDI - flight director indicator 

GMT - Greenwich mean time 

GS - glideslope 
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GLOSSARY 


HDG - heading 

IAS - indicated air speed 

IDCC - integrated data control center 

IFR - instriunent flight regulations 

LOG - localizer 

MDA - minimum descent altitude 

MLS - microwave landing system 

NAV - navigation 

NAVAID - navigational aid 

PAAS - Projected Advanced Avionics System 

PROM - programmable read-only memory 

RAM - random access memory 

RAU - radio adapter unit 

RMI - radio magnetic indicator 

ROM - read-only memory 

RPM - revolutions per minute 

SEL - select 

SM - standard message 

UV - ultra-violet 

UV-EPROM - ultra-violet eraseable PROM 
VFR - visual flight regulations 
VHF - very high frequency 
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GLOSSARY 


VNAV - vertical navigation 

VOR - VHF omnidirectional (omni) range 

VOR/LOC - VOR localizer 

VOR/LOC/GS - VOR localizer glideslope 

VSI - vertical speed indicator 
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APPENDIX A 

PROFILES OF DAAS TEST PARTICIPANTS 

SUBJECT PROFILE #1 
Name: Bill Unternaehrer 

Position Design Engineering, Honeywell, Inc, 

Number of Years Active Flying: 13 years 

Certified Flight Instructor: Yes 

Ratings: ATP, MEL, Commercial, SEL, SES, Glider 

Flight Instructor - Instrument and Airplane 
Experience with HSI; Yes (20 hours) 

Aircraft Flown Flight Hours 

Piper (Single & Twin) 550 

Cessna (Single) 1500 

Currently Fly Cessna 
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SUBJECT PROFILE #2 


Name Larry Pedersen 

Position. .Supervisor, Test Equipment Field Engineering, 
Hone 3 nvell, Inc. 

Number of Years Active Flying 15 years 

Certified Flight Instructor: Yes 

Ratings. ATP, Airplane and Power Plan Mechanic 

Flight Instructor - Airplane and Instrument 

Experience with HSI . Yes (King HSI) 

Aircraft Flown Flight Hours 

Cessna (Single & Twin) 825 

Beech (Single & Twin) 205 

Piper (Single 800 

Others 20 20 

Currently Fly Beech Bonanza, Cessna 172, Cessna 421 


SUBJECT PROFILE #3 


Name Ron Albertson 

Position: Pilot, King Radio Corp. 

Number of Years Active Flying* 12 years 
Certified Flight Instructor. Yes 
Ratings: MEL, ATP, Gold Seal 

Flight Instructor - Airplane and Instrument 


Experience with HSI: Yes (KFC 300, KFC 200, KFC 250, 

Bendix 810, Mitchel) 


Aircraft Flown 

Beech 

Piper 

Cessna 

Bellanca 

Mooney 


Flight Hours 

3,000 

3,000 

3,000 

3,000 

3,000 


Currently Fly: All above 
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SUBJECT PROFILE #4 


Name : John Lindberg 

Position- Pilot, Instrument Flight Training 

Number of Years Active Flying: 10 

Certified Flight Instructor: Yes 

Ratings MEL, ATP 

Flight Instructor - Airplane and Instrument 
Experience with HSI: Yes (KFC 300, KFC 200, Collins Bendix, Narco) 


Aircraft Flown 


Flight Hours 


Beech 

Piper 

Cessna 

Bellanca 

Mooney 


1,000 

1,000 

1,000 

1,000 

1,000 


Currently Fly: All above 


SUBJECT PROFILE #5 


Name . Dan Rodgers 

Position: Director Special Projects, King Radio 

Number of Years Active Flying: 

Certified Flight Instructor. 

Ratings. MEL, Private Instrument 

Experience with HSI. Yes, Project Engineer KFC 300 and KFC 200 
Aircraft Flown Flight Hours 


Not available 
Not available 
Not available 
Not available 

Currently Fly All above 


Beech 

Piper 

Cessna 

Mooney 
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APPENDIX B 

DAAS FAILURE MODES AND EFFECTS ANALYSIS 
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1 


FAILURL 

no 

DAAS tLEMEDT 

FAILURE 

FAILURE 

RATE*^*^ 

AFFECTED 

ELEMENTS 

EFFECTS OF FAILURE 

DAAS 

WARN ETC 

FAILURE 

CATEGORY 

CUIiILhTS 

1 

Encoding A1 ti- 
me ter 

-571 Fault 

within the 
Altim 

200 

Altimeter 

Indicator 

Erroneous Visual Output 

Yes, Power 
Servo Loop 

3 

During IFk-conduioi.s 
Proximity harn uo not 
Detect Vertical Obstacles 





Dabs Transpond 
KT76A 

Erroneous Output 

II 

Error Check 
Amber Light 

3 

Misleads Traffic Control 





A/P CPU 

Erroneous 

"G Proximity Warn " 


3 

Wrong Warn Threstiold 





A/P U IDCC CPU 

Erroneous “Alt Advisory" 
Light Info (Alt Alert, 
HDA A OH } 


2 

“Secondary Effect" 





A/P & NAV CPU 

Erroneous Parapieter 
T 0 & Nav. Calculation 


3 

Wrong Fuel or T 0 - 
Distance Calculation 

Conclusion Far 91 do not require redundant altimeters for Cat 1 IFR. only for CAt 11 
The Probability for a failure Is *10'^ during 4 hours fit. significant! 

The co-pilot Instrumentation required In DAAS OK 

2 

Co-Pilot 

Altimeter 

Fault 
in the 
Altimeter 

200 

Altimeter 

Indicator 

Erroneous Visual Output 

No 

2 

Will cause some inconven- 
ience until decided which 
altim. failed. 


Conclusion Loss of the co>p11ot altitude info is a minor problem to the DAAS pilot The probability of loss of .2 

botn ^aro-al timers during 4 fit hrs. is A* ( xpitot + a altim)pilot •( a pitot ♦ a altim)co-pilot * (4‘250 10 ) 

- 10" A catastrophe will occur if the A/C collides with an object not detected by the proximity 
warning system The probability for this to happen is considerably less than 10"* 
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hnlLUi<L 

HU 

OMMo lLlIILiJT 

uU 

FAILUKl ATFlCTlO 
FAlLURt K>iTL*l0‘' lLlHOjTS 

lFFLCTS uT FAILUkL 

ummS EAILUKL 

WARii ETC CATEGORY 

CUi'liiLiiTS 

J 

Kdudr m1 Lillie ter 

kT2<:1 

Fault in 
kau Alt 
Inci Ant 

A/P CPI lUCC 

9U0 

m/p CPU o Ills I 

Erroneous *‘u Proximity 
Warn " 

Erroneous KaJ Alt Info 

Rad A1 1 
Valid 

(Amber Lignt) 2 

Tiie probduilitj «iO”^ 
fur uaro -anu 
Radar-Mltim failures 




Conclusion 

Uo Far requirement on 
A critical situation (4) 
negligible probability 

Rad Alt If installed, fail 
occur If both tne 8a ro Alt 
OK 

warn required Validity signal Ok 
and Rad Alt fails 

4 

True Air 
Speed Sensor 

VA21U 

Fault in 
Tas OR 
Sign Cond 

lUO A/P & tiav CPU 

EllSl 

Erroneous inputs to Nav 
& Fuel consum 
calculati ons 

do 2 

Pilot confused higiit 
create a probleiti if no 
radio dav availaole 




Conclusion 

TAS not required by Far 91 

It Is very unlikely (<10'^) tnat a TAS failure will cause a critical situation 
due to redundant IAS and VOR/UME information 

in UAAS 

5 

IAS Instru- 
ment 

Panel 

Instru- 

ment 

Failure 

280 IAS 

Indicator 

Erroneous visual output 

Ho 2 





Conclusion 

Single IAS Instrument OK for Cat 1 IFR, Far 91. Z required Cat 11 conditions 
Loss of IAS instrument not critical in DAAS Redundant visual speed info available 

b 

Co-Pilot 
lAS Instru- 
iiient 


Instru- 

ment 

Failure 

280 IAS 

Indicator 

Erroneous visual output 

No 1 

Neglec table to pilot 
Redundant Info available 
(IAS * KPH) 




Conclusion 

Loss of Co-Pilot lAS info no problem to the pilot 

The probability of loss of botn IAS indicators are (witn reference to fault ho 2) 

(4 330'lJ"®)^ '2*10“* Tne risk for a catastropne Is significantly lower in the oAAS 
systems since redundant info such as VOR/UME and angle of attack are available OK 

7 

Air Data 
Computer 

KUC- 

380 

Instru- 

ment 

Failure 

200 A/P CPU 

Erroneous a-H Signal 

Yes 2 

Alt Valid 
(Amber LlgJit) 

Additional Alt & VS 
info available Tne 
pilot monitors Alt nolu 




Conclusion 

Far part 91 do not require a 3rd lAS/ALT Sensor 
Tlie Alt /IAS valid and available redundant Info will 

minimize risks 
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FAILUKt FAlLliKt AFFtCTtU UAA!> FAILUKt 

HU UAAS ELbHLnT HO FAlLUKt K>^TL*1U^ ELtMEHTb LFFLCTb UF FAILURL WARN LTC CATLGURy CUMMbnTb 


Pitot system 

left faulty 50 

Altimeter 

Erroneous 

PTOT or 

VSI-IndIcator 

ALT & A-H Info 


PSTAT 

lAS-indIca tor 
ADC KDC-300 

IAS & VSI 
flight warning 
proximity ** 
transponder response 


Confusing Info 
Risk for wrong 
action In IFK 
cond Pilot or 
ground control 


9 


Co-pilot 
pitot system 


right faulty 50 
PTOT or 
PSTAT 


Altimeter Erroneous visual Info to NO 

VSI>1nd1cator co-pllot 

IAS-1 ndica tor 


Co-pllot not In the 
control loop 


Conclusion Dual PITOT systems required by FAR 91 only for CAT II operations For DAAS, the co-pilot and the right 
PITOT system provide adequate redundancy 

The probability of failures In both left and right PITOT systems Is ' (4 50- 10 ) <1U 

Very low risk! 


10 Outside air 
temp 


sensor or 5 HAV-CPU Erroneous input to T 0 , NO 2 

sign cond cruise, and fuel/dl stance 

failure calculat 


Fuel qty cnecks 
will alarm pilot In 
time for refueling 
Probability of failure 
low 


Conclusion No OAT required by FAR 

OAT failure Is not assumed to cause severe pilot problems It Is suggested, however, 
that Inputs to calculations such as OAT ALT etc are displayed to the pilot when used 


140 


FAILURE 

iiO 

uAmS eLlHeuT 

HO 

FAILURE 

FAILURE 

RATE *106 

AFFECTEO 

ELEMENTS 

EFFECTS OF FAILURE 

DAAS 

WARN 

ETC 

FAILURE 

CATEGORY 

COMMtnTS 

11 

Magnetic Flux 
ue tec tor 

kMT 

lU 

Faulty 
Hag. North 
ref signal 

2U 

Radio Hagnetic 
indicator 
and EHSl 

Erroneous Visual Output 
(Dir GYRO slaved to 
Hag Fx Det ) 

Ho 


3 

The pilot misled uy <.-j 
indicators giving consistent 
faulty information 






VP - CPU 

Faulty Hdg trror 
in Hdg-hold mode 



3 

KHT112 essential unit! 






HAV - CPU 
IDCC-CPU 

Faulty Navigation 
and fuel/distance 
calculations 



3 

Kalman Filter will output 
excessive winu. Spoiling 
calculations 




Conclusion 

Far 91 requires mag dir indicator and dir GYRO for 
Co-pilot dir GYRO and Hag compass makes DAAS okl 

IFR 2 

dir GYROS req for 

Cat 11 cond 

12 

Slave Acces- 

KA 

SIA 

Dead or 

wrong 

output 

lU 

The indicator 

Faulty visual output 

No 


1 

RMl and siag compass info 
available to pilot, elimi- 
nates confusion 




Conclusion 

Far ;^1 do not explicitly 

state the need of a slave accessory 




U 

Uirectioiial uYRO 
including 
Scott T/UIa 

KSG 

106 

Faulty 

Hdg Out- 
put 

300 

Radio magnetic 
Indicator and 
EHSl 

Erroneous visual output 

Yes 

Hdg valid 
(Amber Light) 

3 

Dir GYRO essential See 
See no 11 coiiiiaents 


A/f* • CPU Faulty Hdg trror in 

ikJg Mode 

iiAV - CPU Faulty navigation 

and fuel /distance 
lUCC-CPU calculations 

Conclusion See fault No 11 comments 

The Uir CYkO valid! ty* test coverage ' 70 a Probability for undetected failure (U J 4 • 3oO«lQ~^) 

' 4*10~** during a 4 hours flight Still significant! 

14 Radio magnetic KZ Fault in 330 RMl indicator Erroneous visual output Ho i Mag compass, PUI and criSi 

indicator 226 the RMl provides redundant info to 

GYRO or VOR mode pilot 

Conclusion Far requirement see No 11 OK 
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1 


1 


I 




FAILURb 




FAILURE 

AFFEaEO 


UAAS 

FAILUKt 


NU 

OAAS bUMENT 

dO 

FAILURE 

RATb *106 

ELEMENTS 

EFFECTS OF FAILURE 

WARN ETC 

CATEGORY 

CQMI-tbNTS 


Co-Pilot 

fKMT 

Faulty 

20 

PNI 

Erroneous Visual Output 

Ho 't 



15 

Hag Flux 

^112 

Mag North 


(Slave Acc ) 





detector 

\ 

Ref Signal 







16 

Slave Accessory 

KA 

SIA 

Dead or 

Wrong 

Output 

10 

Slave Acc 

Erroneous Visual Output 

No 

> 1 

1 to the pilot 

17 

Directional 

KG 

Faulty 

300 

PNI 

Erroneous Visual Output 

No 


(2 to co-pilot) 


GYRO 

102A 

Hdg 

Output 


(Slave Acc ) 





Id 

Pictural Uav 

K1 

Mag Card 

330 

PNI 

Erroneous Visual Output 

No 




Indicator 
(P d I ) 

S26A 

Error 










Conclusion 

Loss of co-pilot slaved directional GYRO Info Is a minor problem to 

the OAAS pilot 





The probability of one failure In tne pilot slaved directional GYRO system and one 





failure in the co-pilot system Is (4 660 1U"®)2 <iu 

^ The probability Is remote and tne 





mag compass and VOR Info 

available makes the risk 

very low 



19 

Turn and Slip 

“RC 

Faulty 

ISO 

Turn Rate 

Erroneous Visual Output 

No 

1 

Turn rate determined from 


Instrument 

Allen- 

Turn Rate 


Indicator 



roll angle as replacement 




Instrument 
Paul ty 

10 

Slip 

« 

No 

1 

Side acceleration sensed by 




Slip 

Instrument 


Indicator 




pilot acceptable replacement 




Conclusion 

Single slip-skid Indicator required for Cat I and 1 

[I IFR. By Far 91. 






Loss of 

this Instnjnent minor problem 




iO 

Co-Pilot 


Faulty 

150 

Turn Rate 

Erroneous Visual Output 

No 

1 



Turn and Slip 


Turn Kate 


Indicator 






Instrument 


Instrument 

Faulty 

Slip 

10 

Slip Indicator 

Erroneous Visual Oiitput 

No 

1 



Instrument 

Conclusion I'legllgible to the pilot and co-pilot 
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FAlLURt 

NO 

DAAS LLLMbNT 

NO 

FAILURE 

FAILURE 

RATE*10® 

AFFECTED 

ELEMENTS 

EFFECTS OF FAILURE 

DAAS 

WARN ETC 

FAILURE 

CATEGORY 

COFWENTS 

21 

Yaw Kate GYRO 

GG 

2472 

Faulty 

GYRO 

bO 

A/P - CPU 

Worst Case Rudder trans- 
ient and convergent Yaw 
oscillations 

No 

2 

Inconvenient before Y/j 
and A/P disengaged 




Conclusion 

It Is assuiiied that the rudder servo slip clutch protects against dangerous siue- and 
angular-accleratlons and that tne A/P dump switch Is an adequate mean to disengage tne 
Y/0 

2c 

Angle of Attack 
:>ensor and 
InoiLaior 

Type 

tc 

Faulty 

Output 

luO 

A/P - CPU 

SUll warning given at 
nortiialcx, or not given 
wiieii needed 

ho 

c 

Vi»dal cneck of tac 
Indicator and crussuiecx 
Speed, vert s^eeu and 
attitude will reveal a 
fault 


Conclusion ilo Far requirement on an^ile of attack indicoitor or stall warnlmj 


Vertical CYPU 

VCi 

Faulty 

J3J 

Attitude Direct 

Erroneous "Artificial 

Yes 

2 

uifficult Failure to uctect 


2jJ 

Pitch 


Indicator 

aorizon" 

"Vert GYRO 


especially fur zero output. 



and/or 




Valid" 


since Hol, A/P and cnSl all 



Roll 




(Amber Lignt) 


agree Close ooservance of 



Signal 


A/P - CPU 
Servos 

Errors In control laws, 


2 

otner FC-instrunieats 
assumeu 





LilSl - CPU 

Error in predicted 
Trendlines 


2 



Conclusion Far requires 1 “Artifical iiorizon" for Cat 1 conditions and 2 for Cat 11 
Tne coverage of the validity test is ' (o 3 4 33U-ld"^) " significant* 

Far 23 1329 e) a nardover failure In tne vertical GYRO roll output propages via 

tne A/P cont laws to roll, yaw and pitch axis This is not acceptable to Far wording 

A modification to eliminate the Par-conflict Is reconinended 
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fMlLUi<L FAILUKL AFFECTED DAAS FAILUKE 

HO uMMi> tLtilLia tiO FAILUKE KATE*lu6 tUEMEWTS EFFECTS OF FAILURE WARN ETC CATEUUKY Cut-ynE.as 


24 

Attitude Uir 

kCI 

Faulty 

340 

"Artifl Horiz " 

Faulty Visual Output 


No 

2 

A/P modes and redundant info 


Indicator 

310 

"Artlf 


Indicator 





available 


"Artifl Hon “ 


Horizon" 











Conclusion 

Far 

requirements, see fault No 23 









The 

MAS Is OK In this respect 





25 

Co-Pilot 

KG 

Fault In 

670 

"Artifl Horiz " 

Faulty Visual Output 


No 

1 

The UAAS pilot can easily 


’’Artifi 

258 

"Artifl 


Indicator 





determine that the Nbzad is 


iiorizon" 


Horizon" 







faulty Several redundant 




Unit 







Indicators avallaole to him 




Conclusion 

Loss of the co-pilot Artificial Horizon Is a minor problem 

The suction 






indicator snows If "power* 

* Is available and provides valuable Info to 






the pilot 










The probability A of failures in both vertical, GYROS 

and " 

Artificial Horizons" during a 4 hr. 





flic 

jht Is - 4 .(330 + 340) . 10 x 4 .670. 10^ 

or 7 

.10^ 

. The risk for loss 





of £ 

)oth "Artificial Horizons" Is not negligible 

and may bring tne pilot in 

a 





dananding situation 






20 

Manifold 

Panel 

Instrument 

10 

Map Indicator 

Faulty Visual Uutput 


Ho 

2^ 

In case of an Instruiiient 


Pressure 


Failure 







failure tnese Instruments 


InstruHienFt 









and audiovisual feed backs 











r provide enough Info to 

27 

Engines KPH 

Panel 

Instrument 

10 

KPM Indicator 

Faulty Visual Output 


No 

2 

the pilot to allow correct 


Instrunent 


Failure 







failure localization 

20 

Exh Uas 

Panel 

Instrument 

10 

EUT Indicator 

Faulty Visual Output 


No 

2 



Temp Instr 


Failure 








29 

Engine Status 

Panel 

Low Oil 

10 

Eng Status 

Faulty Visual Output 


No 

3 

] Faulty indication of low 


Instrujiient 2 


Pressure 


Indicator 1 





( oil pressure may during 




or High 







> some conditions force 




Temp 







the pilot to shut off tne 











engine and land ASAP 

30 

Engine Status 

Panel 

Low Oil 

10 

Engine Status 

Faulty Visual Output 


No 

3 



Instrument 2 


Pressure 


Indicator 2 







or High 
Temp 


Conclusion Far 91 requires with exception of the EGT, the engine Instrumentation Listed above (VFK conditions) 
DAAS independent of these instruments 
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FAILURE 

UQ 

UAAS ELEMENT 

NO 

FAILURE 

FAILURE 

RATE*106 

AFFECTED 

ELEMENTS 

EFFECTS OF FAILURE 

UAAS 

WARN 

FAILURE 
ETC CATEGORY 

CUHriENTS 

31 

Fuel Flow 
Sensor 1 


Faulty 

Sensor 

5 

Fuel Flow 
Indicator 

Faulty Visual Output 

No 

2 

Fuel qty Info available 






IDCC 

Faulty IDCC Info 
“Fuel Remaining Time" 
“Estim Fuel Remaining*' 

No 

2 

“Estim Fuel Remaining" 
may Indicate too much 
left, which will mislead 
the pilot 




Conclusion 

Far 91 do not require a fuel flow sensor 
A faulty sensor night result In a pilot decision to continue 
Fuel qty cross checks rnay not reveal the situation It Is • 
pilot might end up In a flight safety critical situation (4) 

a flight without sufficient fuel 
1 low probability (<10*^) that tne 

32 

Fuel Flow 
Sensor 2 


Faulty 

Sensor 

5 

luENTlCAL TO FAULT NO 31 




33 

Fuel Qty 

Panel 

Faulty 
Sensor 
L or R 

IbU 

Fuel qty 
Indicator 

Faulty Visual Output 

No 

2 

UAAS provides independent 
and redundant Info re- 
garding remaining fuel 




Conclusion 

Far 91 requires fuel qty instrument for VFR conditions UAAS supports tne pilot in his 
fuel/distance/time calculations, wnich improves the probability of detecting fuel qty 
instrument failures 

34 

Manifold 

Pressure 

Sensors 

Cele- 

SCO 

Faulty 

Sensor 

0 

A/P - CPU 

Warning + No Map Fault 
Amber Light 
No Warn Map Fault 

No 

1 

Redundant engine instru- 
ments provides adequate 
info 

35 

Engine KPtI 
Sensors and 
F/V Converter 

NASA 

Faulty 

Sensor 

lU 

A/P - CPU 

lOCC 

Light 

Warning ♦ No RPH Fault 
Amber Light 
No Warning + RPM Fault 

No 

1 

Redundant engine instru- 
ments provides adequate 
info 




Conclusion 

OK 
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I 


FAILUKE 

NO 

DAAS ELEMtdT NO 

FAILURE 

FAILURE 

RATE*10® 

AFFECTED 

ELEMENTS 

EFFECTS OF FAILURE 

DAAS 

WARN ETC 

FAILURE 

CATEGORY 

CU-IMENTS 

36 

Uing Flap Pos 
Sensors 

Faulty 

Potentio- 

meter 

20 

A/P - CPU 
lOCC 

Warning ♦ OK flap pos 
Amber Light 
No Warning * OK flaps 

No 

1 

Regular inspection - 
routines will still be 
followed by tne pilot 

37 

Elevator Trim 
Pos Sensor 

Faulty 

Potentio- 

meter 

20 

A/P - CPU 
luCC 

Warning * OK flap pos 
Amber Lignt 

No Warning * uK flap pos 

No 

1 

Regular inspection - 
routines will still ue 
followed by tne pilot 

3U 

Cowl Flaps 
Pos Sensors 

Faulty 
Swi ten 

4 

A/P - CPU 
lUCC 

Warning + OK flap pos 
Amber Light 

No Warning OK flap pos 

No 

1 

Regular Inspection - 
routines will still oe 
followed by tne pilot 

3^ 

Landing bear 
Pos Sensors 

Faulty 
Swi ten 

4 

A/P - CPU 
lUCC 

Warning * OK position 
Amber Light 

No Warning * OK position 

No 

1 

Regular Inspection - 
routines will still be 
followed by tne pilot 

4U 

Cabin doors 
Pos Sensors 

Faulty 
Swi tch 

4 

A/P - CPU 
lUCC 

Warning OK position 
Amber Light 

ito Warning UK position 

No 

1 

Regular inspection - 
routines will still be 
followed by tne ^ilot 

41 

Aux Fuel Pumps 
Switch position 

Paul ty 
Switch 

4 

A/P - CPU 

lucc 

Warning * Ok position 
Amber Light 

ho Warning + OK position 


1 

Regular inspection - 
routines will still oe 
followed by the pilot 


Conclusion Far ^3 requires pitch trim Indicator (Included In basic instrumentation) uAAS 
provides additional Info to alert the pilot if the A/C status Is o1( It is 
assumed that the today used pre flight cneck routines will be followed (If not, 
the UAAS may Introduced new failure modes ) 
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FAILUKt 

NO 

DAAS tLLMtliT 

NO 

FAILURE 

FAILURE AFFECTED 
RATE^IO*^ ELEflEHTS 

EFFECTS OF FAILURE 

DAAS 

UARil ETC 

FAILURE 

CATEGORY 

CU^IMLNTS 

4^ 

LiJb - bwltun 
and related 
logic 

Control 

Ulteel 

Failed 
Swi ten 

b A/P - CPU 

Clutches 

CUS-Mode Engaged 
accidently. 

No 

3 

A/P and nold iimdes dis- 
engaged without pilot 
awareness No Info 




Conclusion 

Far requests adequate neans to disengage the A/P OK It Is assumed that the 

pilot by monitoring the Instruments will detect a not desired CUS-mode engagement and 
that lie will held the cont wheel steady when releasing the A/P 

43 

bo-Around 

Switch 

Control 

Wheel 

Failed 

Switch 

4 A/P - CPU 

Go-around mode engaged 
accidently 

NO 

i 

Information given on tne 
annunciator panel 






Go-around mode not 
engaged when wanted 


3 

Demanding tixxnents to tne 
pilot, especia 1y If In tne 
A/P-Appr/GS mode 




Conclusion 

If the go>around mode not Is available when needed a less experienced pilot may 
even create a critical situation (4»4*10-* x ?,low probability howevenj 


44 

Lng /uisen- 
gage-:»Mitcn 
Pitch Triiii 

Control 

Wheel 

Failed 

Switch 

4 A/P - CPU 

Trim Motor 

Disengage of A/P-modes 
accidently 

Only Aut. Trim available 

No 

2 

2 

Annunced 1 
Use Auto -Trim 

4S 

oeep-Triiii 
Pi ten 

Control 

Wheel 

Failed 

Switch 

4 A/P - CPU 

Trim Motor 

No Manual Trim 
Run-away Trim 


2 

3 

use Autu -Trim 
Use Auto -Trim 




conclusion 

The Auto -Trim function replaces Manual Trim In A/P iiiodes 



Su 

Aii tJ^lluC 
bump Switch 
anu held/ 

Control 

diicel 

Failed 
Swi tci) 

4+4 A/P - CPU 

Clutches 

disengage of A/P 
modes accidently 

1^0 

2 

Annunced 1 






dot possible to disengage 
A/P 


3 

uemandiiig in an A/P failure 
situation over power 
possible 


Conclusion Tne probability for this situation involves botn a switcli faijure and failure in 

another flight safety critical elenient tstimated probability * ~ (4 d-10"^ x 4»100J 10"^ UK 


I 


I 
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FAILURE FAILURE AFFECTED DAAS FAILURE 

NO DAAS ELEMENT NO FAILURE RATE*10^ ELEMENTS EFFECTS OF FAILURE UARN ETC CATEGORY COMMENTS 


47 


43 


49 


bU 


Lomiiunication 

Transceivers 

Antennas 


Navigation 

Receivers 

Antennas 


DHL receiver 
antenna 


Trans|ionder 

Antenna 


KY. 

19b 


KN- 

53 


KN- 

6aA 


KT- 

76A 


Faulty J30 Comnunication No coi.niuni cation No 1 Assumed Far 91 rules 

Radio Aids followed 


Conclusion 


Faulty 

VOR 


Conclusion 


Faulty 

Receiver 


Conclusion 


Faulty 

Transpond. 


Far 91 requires 1 two-way radio conmunlcations system, Cat I and II 
DAAS has 3 systems, Including antennas. Tne probability of loss of 
communication due to faulty transceivers Is for DAAS (4* 330- 10'® )2 x 4»660*1U'® 
(Co-pilot transceiver 660*10"® fault/FLT hour) OK. 


250 Radio Adpt. Box Faulty Navigation Info No 

NAV-CPU 

EHSI - RMI No or faulty VOR/GS 

Radio Adpt Box directions. 

WAV-CPU 
EHSI - ADI 


2 Traffic control support 

radar vectoring etc uAAS 
dead-reckoning 


Far 91 requires appropriate single channel navigation equipment for Cat I conditions 
and dual LOC/GS - receiving systems and a FC-guidance system for Cat It conditions 
DAAS provides triplex receivers and duplex-antennas, including co-pilot back up OK 


500 Radio Adapt Box Faulty Navigation Info No 

NAV-CPU 
EHSI 


2 Fault detected "Kalman- 

Uind* etc VOR available 


Far 91 requires DME if flying at and above 24000 feet Separate antenna UK 

400 Radio Adapt box No Identification possible No 1 Traffic control takes 

proper action 


Conclusion Far 91 do not retire transponder. 

The probability for a failure giving information possible to misinterpret by traffic control 
is neglected. Separate antenna 
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FAILUKL 

UU 


UMS tlUituT 


IIU 


FAILUKL 


FAILUKL 

RATE *106 


AFFECTED 

ELEMENTS 


EFFECTS OF 
FAILURE 


UAAb 

UARN 


ETC 


FAILUKL 

CATLtiOkY 


COWHLiUS 


One-way comm possible 


SI Audio headsets KMA-24 Fault in 200 Earsets, No audio Info NO 

receiving speakers Talk, Nav. OM MM 

microphones No outsoins talk 3 

Fault In 
transmit 
parts 

CONCLUSION FAE 91 requires only one cooimmlcatlon system. (Single failure allowed to block all audio coranunicatiool) 
DAAS provides 3 separate systems possible to connect to the pilot or copilot headset or speakers via re- 
dundant switches on the audio panel. Very good redundancy. OK. 


52 

Switch NAV 1 SEL 

Stuck in 4 

NAV-CPU 

Only one of manual or DAAS 

NO 

2 




one position 

NAVI - RECEIV 

control available. 




53 

" NAV 2 SEL 

" " 4 

NAV-CPU 








NAV2-RECEIV 

M II 

NO 

2 


54 

" DME SEL 

.. M ^ 

NAV-CPU 

Only one of NAV 1, 2, or 

NO 

2 





IME RECEIV 

DAAS control available 




55 

" VOR SEL RMI 

II II ^ 

NAV 1.2 RECEIV 

Only VOR 1 or 2 or none of 

NO 

1 





RMI 

VOR 1.2 avail, on RMI 




56 

" LOC/GS SEL ADI 

" " 4 

Radio adpt. 

Only LOC/GS info, from 

NO 

2 





box ADI 

NAV 1 or NAV 2 or what 





DAAS selects avail, on 
ADI 

COjCLUSION: These switches do not represent single point failures in critical single 

channels OK. Co-pilot backup. 


Assumed to create a 
confusing situation before 
the pilot finds out how 
a fault affects DAAS 
function, and how he has 
to set the switches for 
correct system operation 


IDCC keyboard & 
touch P. 


IDCC Selector switches 


Faulty in- 50 
puts to 
IDCC 

Faulty 40 
mode selection 


IKC, CPU 

NAV-CPU 

EHSl 


Erroneous fit. plan, flight 
status, way points, map, etc. 


NO /YES 


IDCC, CPU Wrong & not changeable "pages" NO 


Keyed in messages dis- 
played on IDCC before 
entered . Detectable 

Not wanted mode sel- 
ected & not possible 
to select desired mode 


IKC CPU, 
memory & 
display 


refresh- 


Faulty 75 IDCC, CPU Wrong or garbeled info, YES 

computation displayed, not under- BITE 

& presen- 300 standable 

tation 

CONCLUSION; The probability of the pilot's not detecting "No 57 errors" by IDCC or EHSI checks Is very low Ok 
in this respect. Hie BITE detects a^out SOX ^f all compute^ failures^ which reduces the probability 

hrs. 


Pilot misses IDCC AID 
Pilot detects the 
failure. 


of undetected failures from 75*4*10"® ■ 3*10"^ to 0 2'3*10'“^ ■ 


EHSl Selector switches 


Faulty 

mode 

selection 


20 


EHSI-CPU 

EHSl 


Wrong & not changeable modes NO 
or scales. 


Not possible to select 
desired mode 


EHSl, CPU 6. BIM, Faulty 75 " Wrong or garbled 

re fresh -memory computation info, displayed 

and and 

display presentation 300 

the probability for loss of EHSl is ^400*4*10 ^ - 1,6*10"^ per 4 fit. hrs. 
The possibility of reconfiguration (BIM + CPU) reduces the probability to 
BITE coverage. 


YES 

BITE 


Pilot misses EHSl info 
Fault detect possible 
by pilot. 




4*325*10 ” - 1.3*10"^ assuming 100% 
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FAILURl 

uo 

62 

63 

64 

65 

66 

67 

68 

69 

70 


\ \ \ \ \ \ ^ \ 


DAAS LLtHEHT 

UU 

FAILURE 
FAILURE RATE*10^ 

AFFECTED 

ELEMENTS 

EFFECTS OF 
FAILURE 

DAAS 

UARil ETC 

FAILURE 

CATEbORY 

col'll iLiiTS 


CONCLUSION. Reconflfturatlon of the most reliable elements does not Improve the risk situation very much! 

NAV, -facilities makes DAAS OK. BITE reduces undetected computer failures to 15*10*^ per fit. 
60*10“® per flight. 

The co-pllot 
hr. or 

Annunciator 
(>anel & drive 
circuits 

KAP- 

315 

Fault In 30 
panel or 
drlv. clrc. 

Annunciator 

panel 

Hissed or wrong mode status 
Info 

NO 

2 

Might temp mislead 
the pilot FC and 

NAV instruments will 
tell the truth, how- 


CONCLUSION. FAR 23.1329 requests means to Inform th« pllnr uhat A/n -nau 
mode Is engaged. Switch positions are not acceptable. DAAS 
OK In this respect. 

• 


ever 

Mode controller 
and drive cir- 
cuits 

KMC- 

340 

Faulty trim 60 
or hdg sel. 
knob 

A/P-CPU 
various parts 
of DAAS 

Trlm/hdg sel activated 
accidentally. 

NO 

2 

The pilot overrides 
and disengages the 
system 



Faulty tog- 180 
gle switches 


Engage not vanted mode 
Disengage vanted mode 
Hot defined mode (e.g. 
ATTetALT) 


2 

Demanding If a mode 
change takes place 
at busy part of the 
flight, or a mode Just 
quietly opens up 

If 


Faulty solen- 100 
old switches 

" 

Accidental engage or disen- 
gage of A/P (T/D) modes 


2 



CONCLUSION PAR 23 requirement on accesslblllCv of controls mot- ^ nr 




Auto pilot 

yav clutch, servo 

Roll Clutch, servo 

Fault in any 70 
hardware 

" 70 

Control surface Servo not movable 

Servo run away clutch not 
locking clutch allw. 
locked 

U II M 

NO 

NO 

2 

3 

Ho Y/D avail. 

Pilot override 
Disengage Y/D 

No roll A/P avail. 
Pilot override 
Disengage A/P. 

Fitch clutch, servo 

II 

" 70 

M 

II II 

NO 

3 

No pitch A/P avail. 
Pilot override. 
Disengage A/P, 

Trim clutch, servo 

" 50 

II 

Trim not moveable 
Trim run away 

Yea 

Trim 

monitor 

3 

Monitor detects trim 
runaways open circuit- 
ries, but not motor 
failures (e.g., only 
one direction.) 

Clutches comnon 
logic 


Faulty 5 

circuitry 

Control sur- 
facea 

None of the clutches en- 
gages. All clutches 
stay engaged. 

NO 

3 

No A/P engaged. Pilot 
must override in 3 
axes. 
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FAILURE FAILUKL AFFECTED EFFECTS OF FAILURt 

NU LiAAb tLtMtWT RO FAILURE KATL^lu^ ELEMEOTS FAILURE WARN ETC CATtGORY CUHMLiiTS 


CONCLUSION FAR 23 met regarding poa a lb Hit lee to override. PAR 23 requirement on fault in only one channel not met. 

The pilot might and up In a critical altuatlon if one or more of the aarvoa or of the clutchaa are not 
operational. No warning or info given. The pilot la In a critical altuatlon If he haa to override 
all 3 aervoa. The probability of not being able to engage all clutchaa la 10 *A /4 hra. Ihe probability 
of not being able to diaengage all clutchaa la (4* 5* 10 x (4'4*10‘®)^< lO’^^/A hra. 

The probability of a critical altuatlon la negligible! OK. 


71 A/P-I/0 

CPU + BIM 
A/D, D/A, MUX 


Fault In any Almoat all 

hardware 60 + 12 elementa! 
60 » 


GENERAL POSSIBLE 

FAILURE MODES 

MUX 

A/D 

CPU MEMORY 

D/A 

MU]f 

111 signals high 

or low 

X 

X 


X 


** 

zeros 

X 

X 


X 


M 

faulty 

X 

X 

X 

X 

X 

Separate signals 

" 



* 




Erroneoua 
Mode atatua 
F/D> command a 
aervo-comaanda 
Fit warning 
cruiae-perform 
fuel distance 
IDDC info 
EHSl map 
Annunciator 
Error may affect 
only one function, 
e.g., door warn- 
ing, or many 
elementa, e.g. D/A 
failure cooamanding 
3 aervoa hardover. 


YES 

BITE 

BITE 




The bite coverage la about 95Z It la very likely that BITE will detect even more of the severe failures 
requested to bring the probability of an undetected failure down to 10*‘^/4 hra. 


3 


I 

3 


The A/P-I/0 computer 
la a key element In 
DAAS Failure effects 
of all categories may 
occur. For instance, 
a CPU failure may 
affect separate In- 
structions, e.g. shift, 
which will spoil all 
mult, and div A 
D/A failure may cause 
all outputs to go high. 
Including all servos 
and ADI comnand bars. 


A BITE coverage of 99 9% la 


CONCLUS^Q}!: FAR 23 requirement on disengagement and poaalbllity to override is met. (The added IG-dump-swltch is helpful). 

FAR 23 requirement on only single axix hardover failure is violated. It la probable that failures occur which, 
detected or not by the BITE, will cause transients and shut down major parts of the DAAS. The DAAS co-pilot 
will, in such situations, take over and DAAS will be disengaged. 


Actions to resolve the FAR conflict is recomnended. 


72 

NAV FLT/PLAN 

Fault in 

60 + 12 

A/P comm, bars 

YES 


Undetected erroneous 


CPU & BIM 

any hard- 


A/P servos 

Erron comm, references BITE 


NAV computations may, 



ware 


EHSI 

Faulty map 

2 

during a fairly long 





IDCC 

Faulty NAV Info 


time, introduce A/C 





NAV I, 2 

Wrong frequencies 


position errors Several 





BUBBLE MEM. 

Store faulty NAVAID 


Indicators may give con- 






data 


sistently faulty info 








Loss of NAVAID after a 








detected fault may also 








bring problems to an 



CONCLUSION The 

probability 

of faulty NAV 

-6 -4 

calculationa isn^ 4>72 10 ^ 3*10 

without reconfiguration 

unexperienced pilot 


The probability of faulty HbV calculation. 1«/^ 4.72.10'® (l-ffe) + (4 72.10'‘)^ . (I-^q)" ® reconfiguration 

Reconfiguration improves the availability of the NAV calculations 5 times. Significant improvements requires 
better BITE coverage. 

DAAS with co>pilot OK 
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1 


1 




hAILoKL 

NO 

UMAb cLliiLhT hU 

FAlLbKE 

1-aIlORl 

RATL*1U& 

AFFECTED 

ELEMENTS 

EFFECTS OF 
FAILURE 

OAAb 

WAKh ltc 

FAILOKL 

CATlGOKY 

CuirfiUiTb 


73 

SPARE CPU & BIM 

Fault In 
any parts 

60 + 12 

EHSI or by 
NAV computer 
controlled 
elements 

Same failure affects as fault 
61 EHSI, CPU, and 72 NAV CPU. 

YES 

BITE 

2 

Similar to 
Mo 61 and 

faults 

72. 


CONCLUSION The likelihood Chat any spare CPU or BIM failure will affect Che DAAS performance Is negligible. Because 2 similar 
failures are required, the probabllltY^f or this Is (NAV, PAIL + EHSI FAIL) * (SPARE FAIL) or 
(72 + 72)*4‘10"® . (72*A*10 ®)^ 2*10 \ 

The spare CPU Itself will not harm the DAAS! 


74 Radio Adapter KRC Fault In 40 -I- 12 EHSI 
Box & BIM any part IDCC 

A/P (ADI) 


Mlstune HAV/DME recelv. 
Garble NAV data to NAV 
A/P CPU, which may affect 
visual Indicators and bugs 
as well A/P servos. 


YES 

BITE 


3 


CONCLUSION The co>plIot backup NAV instrumentation makes DAAS OK. 

75 DABS - Any part 60 + 12 IDCC No Identification possible 

CPU + BIM failure 

Panel 

Transponder Misleading IDCC Info 

presented to Che 1 pilot 

CONCLUSION SEE ALSO FAULT NO. 50 KT-76A TRANSPONDER. 

DABS NOT FULLY DEFINED. 


YES 

BITE 


76 Bus controller 
and reconflg 
CPU + BIM 


Any part 60 + 12 
failure 


All DAAS Power up mode. One or more YES 

computers & faults In one or more of the BITE 

functions CPU's when loading the pro- 


Normal Mode 

1. Misinterpretation of validity 
signals and shutdown of fault - 
free CPU, 

2. No warn, given for some BUS-CPU and 
IDCC-CPU failures. 

3. Bus control failures may result 
In missed Information or com- 
plete bus traffic breakdown 

Reconfiguration Mode 

The CPU may fall to recon- 
figure. 


1 


1 


3 


3 

3 


2 


The failure effects are 
dependent on engaged modes, 
e g during a coupled 
landing the DAAS may con- 
trol all indicators (except 
Che RMI) as well as Che 
A/P servos and ADI bugs. 


No readable output. 
Traffic control takes 
proper action 


These failures are 
expected to be 
detected by BITE 
or the pilot. 

These failures might result 
in a demanding situation If 
they occur during a busy 
flight phase. 


Loss of most of the DAAS 
functions In a busy flight 
phase Is demanding. 

Results In loss of EHSI 
or NAV computer. 


77 4BB Bus 


Faults In I EQUAL TO BUS CONTROL FAILURES NO, 76 

wires or con- 
nectors 

CONCLUSION ; Failures In Che bus controller may affect more than I channel. 
The DAAS co-pilot provides backup, making DAAS OK. 
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FAILbKt 

NU UAAS ELtfltNT 


78 Bubble Mem 


79 Cassette 


80 Alternator 
(Batt ) 
28VDC bus 


81 Avionics bus 
28 VDC 


62 DAAS A and B 
28 VDC bus 


83 DAAS bus 115 
and 26 VAC 


FAILUkC AFFECTED 
HO FAILURt RATE*1 j6 ELEMENTS 


EFFECTS OF 
FAILURE 


OAAS FAILUKL 

UAKIi LTC lATbUOKY CUMMLHTb 


Any part 300 All OAAS 

failure computera 

and func- 
tions 


All kinds of failures might YES. Mem 3 

occur from single Instruction sum checks 
failure to all CPU instructions in the CPU's 
faulty. 


CONCLUSION . Failures affecting more than 1 channel may happen. FAR 23 violation. The most severe failure 


A fault happening before 
flight will be detected 
by the mem sum. check 
or by the pilot before 
takeoff, A failure dur- 
ing flight followed by a 
temp power loss may. In 
a worse case, mean loss 
of the DAAS. 


Is bubble memory failure In air, followed by a temporary power loss during a demanding phase 

of the flight The probability for this to happen Is estimated at less than (300»4*10“”) x (50*4»10”")'^ 2 lo' . 
The probability for critical failures to occur due to the bubble memory Is low enough to make DAAS OK. 


Action Is reconmended to resolve the FAR conflict. 


Any part 500 Bubble memory The failure effects are similar YES 3 A fault will be detected 

failure to bubble memory failures. CPU mem. before flight. 

sum check 

CONCLUSION. Cassette failures will very likely be detected by BIT or the pilot before takeoff. The probability of an undetected 
cassette failure is Judged to be <10’”. DAAS OK 


Alternators, I All electrical Shuts down all major DAAS Obvious 4 Very critical situation 

Battery, bus units except sensors 

failures DAAS-buses 


CONCLUSION No FAR 23 or 91 requirements on avionics el. power bus redundancy or failure probability 

It Is assumed that the pilot quickly disengages a faulty A/C battery if it falls when any alternator is OK 
The probability >C of loss of the 28 VDC bus during 4 fit. hrs. Is thus. 

A ^ Alt. A xX Alt. B xA Batt +>{ bus a./ ( 200»4‘ lo'®)^ x (100 4 lo'°) + .1*10 “^a/ I 10‘^ 

NOTE The battery will be drained In less than I fit. hr. (Before the battery Is drained, the probability of 
open or shorted bus Is the most likely reason for electrical power loss). 


Connections, , Audio NAV, Loss of communication. NO 4 

switches bus * DME, X-ponder, 
etc 

CONCLUSION The reduncant lines and switches make the avionics bus as safe as the alternator 28VDC bus 
(Pilot and co-pllot Instrumentation electrical power should, in principal, be separated.) 


Connections, a/ * 5 
switches, 
diods, battery, 
buses 


DAAS CPU's Shuts down DAAS 
memories, 

EHSI, IDCC, 

PCS, etc 


YES 3 

BITE 


Affects both the pilot 
and co-pilot comtnun NAV 
equipment 


Reliability degradation 
Is due to single switches 
and lines 


CONCLUSION DAAS with co-pilot, demanding 3. Still low probability of electrical power loss! 


Lines, 10 
switches , 
converters 

CONCLUSION Loss of DAAS-i 


DIR & vert gyro Errors or i 
ADI, RMI, ADC ences, etc 
sign condlt 

Judged OK 


attitude refer- YES 

"VALIDITY" 


3 


I 


1 
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fAILUKt 

NO 

umAS LLlIIliJT 

llO 

FAILUKL 

FAILUKL 
RATE *10^ 

AFFECTED 

ELEMENTS 

EFFECTS OF 
FAILURE 

DAAS 

WARN ETC 

FAILURL 

CATEDUKY 

CoMmEUTS 

84 

DAAS 15VDC 


Lines 

switches 

inverter 

15 

ANALOG I/O 

Most sensor inputs missing. 

YES 

BITE 

3 


65 

DAAS 12VDC 


" 

18 

Bubble Mem. 

Reconfiguration not possible. 

NO 

3 

Probability of 
reconfiguration low 

66 

DAAS 5VDC 


II 

15 

IDCC 

CPU's 

Shut down of DAAS 

Obvious 

3 



CONCLUSION Failures 84 and 66 can be accepted In EAAS due to the co'-pilot backup. 
FAR 23 is not met for electrical power failures 82 to 86. 

Actions are recomnended. 


ADDITION DAAS Soft- 

ALL 

CPU's 

unknown 

A/P, servos, 

Any type of erroneous comm. NO 

3 

ware 




EHSI, IDCC, etc. 

and information. 



CONCLUSION . The DAAS co-pilot will take over and DAAS will be disengaged. OK. 



End of Document 



